US20040030776A1 - Multi-level packet screening with dynamically selected filtering criteria - Google Patents
Multi-level packet screening with dynamically selected filtering criteria Download PDFInfo
- Publication number
- US20040030776A1 US20040030776A1 US10/217,862 US21786202A US2004030776A1 US 20040030776 A1 US20040030776 A1 US 20040030776A1 US 21786202 A US21786202 A US 21786202A US 2004030776 A1 US2004030776 A1 US 2004030776A1
- Authority
- US
- United States
- Prior art keywords
- traffic
- filtering criteria
- filtering
- load
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
Definitions
- the present invention relates to the screening of packet traffic at multiple levels and, in particular, to a hierarchical screening technique where the filter screen criteria at each level may be dynamically selected based on, for example, processing capabilities at each level and/or variations in packet traffic mix.
- the need to screen packet traffic arises in a number of recognized scenarios.
- One such scenario is in the context of a network intrusion detection system (IDS) application where passing packet traffic is examined for threatening or dangerous content.
- IDS network intrusion detection system
- the suspect packet traffic is identified and captured or dropped (perhaps using a firewall) before it has a chance to enter a protected network.
- packet filtering is performed by first filtering packet traffic with a first filtering criteria to generate a first pass traffic portion and a fail traffic portion.
- the fail traffic portion is then second filtered with a second filtering criteria to generate a second pass traffic portion and a reject traffic portion.
- the first filtering detects suspicious packet traffic for output as the fail traffic portion and the second filtering detects threatening packet traffic within the suspicious packet traffic for output as the reject traffic portion.
- the first filtering triggers a suspicion of dangerous packets within the packet traffic and produces suspicious packets as the fail traffic portion, while the second filtering confirms the presence of dangerous packet traffic within the fail traffic portion and selects dangerous packets as the reject traffic portion.
- load is measured, with the first and second filtering criteria being dynamically selected and altered based on measured load. Changes to the selected first and second filtering criteria are based on changes in measured load.
- the measurement of load detects an imbalance in load between the first and second filtering operations. The dynamic selection then operates to alter the first and second filtering criteria to better balance filtering load.
- the first set of filtering criteria are characterized by being higher throughput, lower accuracy filtering criteria
- the second set of filtering criteria are characterized by being lower throughput, higher accuracy filtering criteria.
- the operation for dynamic selection adjusts the relative throughputs and accuracies of the first and second filtering criteria.
- the adjustment alters a complexity of the first and second filtering criteria to also alter the relative throughputs and accuracies. This is accomplished through a dynamic adaptation process that is responsive to one or more characteristics and/or factors.
- the adjustment alters a comprehensiveness of the first and second filtering criteria to also alter the relative throughputs and accuracies. Again, this is accomplished through a dynamic adaptation process that is responsive to one or more characteristics and/or factors.
- FIG. 1 is a block diagram illustrating a hierarchical approach to packet traffic screening in accordance with an embodiment of the present invention
- FIG. 2 is a block diagram illustrating a hierarchical approach to packet traffic screening in accordance with another embodiment of the present invention
- FIG. 3 is a block diagram illustrating a hierarchical approach to packet traffic screening in accordance with yet another embodiment of the present invention.
- FIG. 1 a block diagram illustrating a hierarchical approach to packet traffic screening in accordance with an embodiment of the present invention.
- a screening engine 10 (useful in a number of applications including, for example, network protection, intrusion detection, firewalling, anti-virus content filtering, and the like) implements a multi-level processing technique.
- a first level 12 also referred to as a triggering or detection level
- a corresponding first filter 14 receives packet traffic 16 and screens that received traffic against a first set of filtering criteria 18 .
- a portion 20 of the received traffic 16 that passes the first set of filtering criteria 18 is output from the screening engine 10 .
- a portion 22 of the received traffic 16 which does not pass the first set of filtering criteria 18 is forwarded on for further examination by a second level 24 of the screening engine 10 .
- the second level 24 (also referred to as a confirmation or catch level) implements a corresponding second filter 26 that receives the failing portion 22 of the packet traffic 16 and screens that received traffic against a second set of filtering criteria 28 .
- a portion 30 of the received traffic (failing portion) 22 passes the second set of filtering criteria 28 and is output from the screening engine 10 to join the packet portion 20 as the pass packet traffic output.
- a portion 32 of the received traffic (failing portion) 22 which does not pass the second set of filtering criteria 28 is then rejected. The rejected packets are then output and acted on as needed (for example, by logging, discarding, alert generation, and the like).
- FIG. 1 Although two levels of hierarchical processing are illustrated in FIG. 1, it will be understood by those skilled in the art that this is exemplary in nature.
- the embodiment of the present invention illustrated in FIG. 1 may include three or more levels of processing if desired, with each subsequent and/or additional level being structured in a manner similar to the levels of the first and/or second filters.
- each increase in level comes a more stringent examination of the packets using filtering criteria designed at each incremental level to more accurately detect suspicious or dangerous traffic.
- FIG. 1 primarily illustrates all traffic that fails the first filtering test (i.e., the failing portion 22 ) being passed on for second filter processing
- the first filter will be able to identify some of the traffic in the portion 22 as definitely being threatening or dangerous.
- This unambiguously recognized portion 22 ′ of dangerous traffic need not be further processed in the second filter 26 for confirmation and may instead be passed on directly with the rejected portion 32 (as shown by the dotted line) to form the rejected packet output for further handling as needed.
- An advantage of configuring the engine 10 in such a manner is an increase in throughput with respect to second level 24 processing.
- a certain relationship is defined between the screening criteria implemented by the first and second filters 14 and 26 , respectively, to provide for improved screening engine 10 throughput performance (speed and accuracy).
- the first set of filtering criteria 18 are implemented as a triggering mechanism to allow for relatively high speed examination of the received packet traffic 16 where limited processing capability filtering is used with a design to catch substantially all suspicious traffic, understanding that the filter 14 will inevitably erroneously additionally capture some benign traffic (i.e., accuracy is relatively low and there will be a number of false positives) along with the dangerous traffic.
- this first level 12 screening implicates header field compares and trigger content searches (i.e., short string compares) that can be performed at higher speed using less complex algorithms and processes with the screened output being more susceptible to including errors.
- the second set of filtering criteria 28 are implemented as a confirmation mechanism to allow for lower speed examination of the portion 22 of the packet traffic 16 where more complex processing capability filtering is used with a design to more carefully examine the suspicious traffic (identified by the first filter 14 ) and identify the most likely threatening or dangerous traffic, understanding again that the filter 26 may erroneously capture some benign traffic (i.e., accuracy is relatively high, although there could be a minimal number of false positives), but that the likelihood of this occurring will be significantly smaller than that experienced with the first filter 14 .
- this second level 24 screening implicates protocol decoders and regular expression matching (i.e., long string compares) at lower speed using more complex algorithms and processes with the screened output being less susceptible to including errors.
- the accuracy/throughput relationship between the first set of filtering criteria 18 (for triggering suspicion) and the second set of filtering criteria 28 (for confirming presence) may be better understood using an example.
- the first set of filtering criteria 18 in an exemplary implementation may include a screen designed to quickly examine passing packets and to cast a broad net for the capture of any traffic that is even remotely suspicious (for example, based on header field compares and short string compares). Because this triggering screen does not necessarily require a detailed or comprehensive examination of each passing packet in the traffic 16 , the analysis performed by the first filter 14 may be completed relatively quickly on a packet-by-packet basis thus enabling, with respect to the portion 20 of the received traffic 16 that passes, a relatively high throughput.
- the second set of filtering criteria 28 in an exemplary implementation may include a screen designed to more thoroughly examine the suspicious packet portion 22 and carefully consider the packets (either alone or in combination groups with other preceding packets) for dangerous content (for example, based on protocol decoders and long string compares).
- this confirmation screen implements a more detailed or comprehensive examination of each packet output in the first level screened portion 20 , the analysis performed by the second filter 26 could take significantly more time per packet and slows the throughput of these packets. However, due to the first level of screening there are fewer packets that need to be more carefully examined. Additionally, because the screening analysis is more detailed and comprehensive, and more specifically because the parameters of the screen are narrower and more focused to look for certain characteristics in the suspicious traffic, only that traffic that is most likely to be dangerous is caught (i.e, accuracy is high), and the remaining traffic is released delayed only slightly by the time required to confirm the legitimacy of that traffic.
- FIG. 2 a block diagram illustrating a hierarchical approach to packet traffic screening in accordance with another embodiment of the present invention.
- Like reference numbers refer to similar or identical components. Additionally, although illustrated with only two levels, it will be understood that the embodiment may use three or more levels of filtering as desired.
- the volume and nature of the packet traffic 16 tends to vary over time.
- the traffic mix is such that screening of the packets do not demand the use of significant processing resources
- the first filter 14 is not highly loaded and could be used to perform additional or more comprehensive screenings.
- some of this processing may be off-loaded to the second filter to more efficient share load.
- the embodiment of FIG. 2 takes advantage of these natural variations in packet traffic mix by adjusting the criteria 18 and 28 used for filtering at each level. These adjustments account for variations in traffic mix and better balance load between the included levels.
- the engine 10 may change the first set of filtering criteria 18 to perform, at the first filter 14 , some of the screening that would otherwise have been performed using the second set of filtering criteria 28 at the second filter 26 .
- this “enhanced” first set of filtering criteria 18 ′ implements a more detailed or comprehensive examination of each packet (i.e., it is, relatively speaking, more accurate), overall throughput may be improved.
- the enhancement of criteria that are added to form the first set of filtering criteria 18 ′ are not needed in the second set of filtering criteria 28 , and thus the second filter 26 may apply a modified second set of filtering criteria 28 ′ that continues to implement a comprehensive, but more narrowly focused, screening than was performed in FIG. 1.
- a switch back and forth between the criteria 18 and 18 a ′ and the criteria 28 and 28 a ′ made be implemented as needed in response to detected changes in traffic mix.
- the adjustments made to the first and second sets of filtering criteria essentially comprise altering the relative throughputs and accuracies of the filters. For example, a first filter applying a high throughput, low accuracy set of filtering criteria may be adjusted to provide for a somewhat lower throughput with a higher relative accuracy in certain situations. Conversely, a second filter applying a low throughput, high accuracy set of filtering criteria may be adjusted to provide continued accuracy, but less comprehensive, screenings at a lower relative throughput in those situations. These adjustments are made responsive to detected variations in the packet traffic mix and may be used to correct for a perceived imbalance in load between the first and second filters.
- Load on the screening engine 10 in general, and its constituent filters in particular, is measured (reference 36 ) and used to trigger selected changes in the sets of filtering criteria applied by the first and second filters 14 and 26 , respectively.
- Load in this context refers to any one factor (reference 38 ), or combination of more than one factor, including, for example, traffic volume, processor loading factors or ratios, detection of excessive amounts of certain traffic types, packet drops, throughput rates, filter criteria, and the like.
- the screening engine responds dynamically to adjust the applied sets of filtering criteria (reference 42 ; with respect to relative accuracy, throughput, complexity and/or comprehensiveness, for example) so as to better spread or balance the load between the available filters.
- reference 42 Several non-limiting examples of such an operation are provided herein to illustrate the load-responsive operation of the engine 10 .
- the load device 36 of the screening engine 10 may utilize a traffic monitor 40 to measure the volume of certain types of packet traffic 16 . From this information, the load device 36 dynamically adjusts the filtering criteria being implemented by each of the first and second filters 14 and 26 . For example, if the volume of a certain type of packet traffic 16 measured exceeds a first threshold (indicative of a relatively high traffic level), the load device 36 configures the first and second filters 14 and 26 to implement the first and second sets of filtering criteria 18 and 28 , respectively, as discussed above in FIG. 1.
- the first set of filtering criteria 18 provide a relatively high speed (high throughput) examination of the received packet traffic 16 with limited processing capability filtering being implemented to catch substantially all suspicious traffic (but not necessarily accurately detect dangerous or threatening traffic), while the second set of filtering criteria 28 provide a lower speed (low throughput) examination of the portion 22 of the packet traffic 16 with more complex processing capability filtering being implemented to more carefully examine the suspicious traffic and accurately identify the most likely threatening traffic.
- the load device 36 configures the first and second filters 14 and 26 to implement the enhanced first and modified second sets of filtering criteria 18 ′ and 28 ′, respectively, as discussed above, by modifying the relative throughput and accuracy characteristics of the filtering criteria.
- the modified first set of filtering criteria 18 ′ continues to provide for a relatively high speed examination of the received packet traffic 16 , however, a slightly more extensive processing capability filtering is implemented to improve accuracy and catch the more (or most) suspicious portion 22 of the traffic 16 (and perhaps generate the portion 22 ′).
- the second set of filtering criteria 28 ′ continues to provide a lower speed examination of the portion 22 of the packet traffic 16 with more complex processing capability filtering (perhaps minus that used in the first filter 14 to provide some improvement in throughput) being implemented to more carefully examine the suspicious traffic and identify the most likely threatening traffic.
- the relationships between the first and second sets of filtering criteria 18 and 28 and the enhanced first and modified second sets of filtering criteria 18 ′ and 28 ′ may be better understood using an example.
- a spectrum of available filtering criteria F( 1 )-F(n) relating to detection of a certain threat or danger where, for each piece of criteria F: (a) the complexity of the filtering performed by the criteria increases as n increases; (b) the speed of packet screening performed by the criteria decreases as n increases; and (c) the likelihood of the criteria screening process erroneously catching a packet (i.e., a false positive) decreases as n increases.
- the first set of filtering criteria 18 may comprise certain filtering criteria F( 1 )-F(m), while the second set of filtering criteria 28 comprise certain filtering criteria F(m+1)-F(n).
- the division of the spectrum at point m by load device 36 reflects a choice made to balance throughput concerns against accuracy in the first filter.
- filtering criteria F( 1 )-F(m) as the first set of filtering criteria 18 , the packets 16 will be quickly processed, by less complex or comprehensive algorithms, but with an increased likelihood of false positives in the portion 22 .
- the enhanced first set of filtering criteria 18 ′ may comprise certain filtering criteria F( 1 )-F(p), while the modified second set of filtering criteria 28 ′ comprise certain filtering criteria F(p+1)-F(n), wherein p>m.
- the division of the spectrum at point p again reflects a choice made by the load device 36 to balance throughput concerns against accuracy at the first filter. However, in this case, because the volume of packet traffic is lower, there is less concern over satisfactorily handling throughput, which allows a more accurate and complex screen to be used by the first filter 14 by including in the enhanced first set of filtering criteria 18 ′ the filtering criteria F(m)-F(p) which otherwise would have been implemented by the second set of filtering criteria 28 .
- criteria F(m)-F(p) in the enhanced first set of filtering criteria 18 ′, there is no need for those criteria to again be applied at another level thus allowing for the implementation of the modified second set of filtering criteria 28 ′. Because the modified second set of filtering criteria 28 ′ is now performing fewer checks on the portion 22 , processing speed for each examined packet should increase (with no degradation, however, in accuracy).
- the selection of where the division point (m, p, or the like) lies in the spectrum of available filtering criteria F( 1 )-F(n) is made by the load device 36 using, for example, a traffic monitor 40 measured level of packet volume.
- the division point When the measured volume is relatively high, for example at or above the first threshold, the division point is selected closer to the F( 1 ) end of the spectrum (relatively speaking, higher throughput and lower accuracy). Conversely, when the measured volume is relatively low, for example at or below the second threshold, the division point is selected closer to the F(n) end of the spectrum (relatively speaking, lower throughput and higher accuracy).
- the first and second thresholds are different (with first>second) to define a hysteresis of traffic volume change which must be overcome before a switch in the applied sets of filtering criteria is made by the load device 36 .
- This hysteresis prevents the load device 36 from changing the applied sets of filtering criteria in a ping-pong manner responsive to normal and expected fluctuations in measured volume. It is only responsive to a change in measured volume that overcomes the hysteresis that applied sets of filtering criteria are switched.
- the traffic monitor 40 may sample the volume of packet traffic with any selected rate desired by the user. Choosing a faster rate allows the engine 10 load device 36 to dynamically respond more quickly to volume changes with corresponding switches in the sets of filtering criteria. A faster rate also allows the load device 36 to consider more data points with each determination. In this way, it will be understood that the measured volume used for making the criteria switching determination may comprise either an instantaneous volume presented by a single data point or an average (or mean) volume presented by a plurality of data points.
- the traffic monitor 40 may identify traffic type and measure volume separately for each traffic type.
- the engine 10 may have a particular interest in a certain type of traffic, where type may refer to protocol type (HTTP, FTP, DNS, and the like), because filter screening of traffic of that type requires significantly greater amounts of processing resources than other traffic.
- type may refer to protocol type (HTTP, FTP, DNS, and the like)
- the traffic monitor 40 may identify traffic origination and measure volume separately for certain originations or destinations of interest.
- the engine 10 may have a particular interest in a certain origin of traffic, where origin may refer to origination address, port ID, protocol destination address, because filter screening of traffic from that origin requires significantly greater amounts of processing resources than other traffic. In the event a significant amount of such traffic were detected, some adjustment may need to be made to the first set of filtering criteria 18 to ensure that the first filter 14 was not overloaded by the presence of that traffic.
- the load device 36 may include a filter load monitor 40 ′ that operates to measure the processing load on each of the first filter 14 and the second filter 26 .
- the load monitor 40 ′ discovers that either filter is overloaded in its processing of received packets (for example, when the dropping of packets is detected) or is approaching an overload situation (for example, when processor utilization and/or memory utilization exceed certain thresholds), this indicates that the packet handling loads for the engine 10 are not properly balanced between the first and second filters 14 and 26 , respectively.
- the load device 36 may adjust the sets of filtering criteria implemented by the filters (with respect to relative throughput and accuracy, for example) to better balance the load and improve performance.
- the sets of filtering criteria implemented by the filters are adjusted so that a less accurate set of filtering criteria (i.e., the division point is selected closer to the F( 1 ) end of the spectrum) is selected for the first filter.
- a less accurate set of filtering criteria i.e., the division point is selected closer to the F( 1 ) end of the spectrum
- the load monitor 40 ′ detects that the first filter 14 is overloaded
- the sets of filtering criteria implemented by the filters are adjusted so that a less accurate set of filtering criteria (i.e., the division point is selected closer to the F( 1 ) end of the spectrum) is selected for the first filter.
- the sets of filtering criteria implemented by the filters are adjusted so that a more accurate set of filtering criteria (i.e., the division point is selected closer to the F(n) end of the spectrum) is selected for the first filter 14 .
- a more accurate set of filtering criteria i.e., the division point is selected closer to the F(n) end of the spectrum
- the load monitor 40 ′ may alternatively operate to measure filter load in comparison to a threshold representing a percentage of load capacity. In the event the measured filter load exceeds the threshold, the load device 36 initiates a load balancing operation. Filter load in this instance may comprise a measure of false positives generated by a given filter level. In the event the load monitor 40 ′ detects from higher level filter (for example, the second filter 26 ) analysis that a lower level filter (for example, the first filter 14 ) is generating an excessive number of false positives, the load device 36 may instruct the lower level filter to adjust its set of filtering criteria to increase accuracy. Responsive thereto a more comprehensive set of filtering criteria may be instantiated by the lower level filter. A corresponding change may, or may not, be implemented by the higher level filter to remove redundant filtering criteria.
- an appropriately selected hysteresis may be used to inhibit changes in the same manner as discussed above with respect to traffic volume.
- the load device 36 and its associated traffic monitor 40 and/or load monitor 40 ′ are illustrated as being functionally separate from the first and second filters, it will be understood that the load balancing-related functionalities may be integrated within the first and second filters (as illustrated by interconnected 44 dotted boxes 36 ′).
- the higher level filter for example, the second filter 26
- the higher level filter may, on its own, be configured to detect that a lower level filter (for example, the first filter 14 ) is generating an excessive number of false positives. This could be recognized, for example, by comparing the number of packets it receives (i.e., the suspicious packets) to the number of packets it rejects.
- the higher level filter may be overloaded by the processing of too many false positives and issues a request to the lower level filter to instantiate a more comprehensive set of filtering criteria (i.e., criteria that are less likely to capture false positives in the suspicious traffic).
- the lower level filter responsive to that request, examines its own loading factor and, if the requested change would not place the lower level filter in danger of overload, implements the new filtering criteria as requested.
- the lower level filter evaluates its own loading factor and, if it is determined to be in danger of overload instantiates a less comprehensive set of filtering criteria that would allow for faster throughput with an increased likelihood of capturing false positives within the identified suspicious traffic.
- the higher level filter is informed of this change and responds, if necessary, by instantiating a more comprehensive set of filtering criteria to account for the criteria change implemented at the lower level.
- FIG. 3 a block diagram illustrating a hierarchical approach to packet traffic screening in accordance with another embodiment of the present invention.
- Like reference numbers refer to similar or identical components. Additionally, although illustrated with only two levels, it will be understood that the embodiment may use three or more levels of filtering as desired.
- the first filter 14 is implemented through a selected one or more of a plurality of trigger filter modules 14 ( 1 )- 14 ( n ), where n is not necessarily the same index as recited above for the filter criteria F.
- the second filter 26 is implemented through a selected one or more of a plurality of confirmation filter modules 26 ( 1 )- 26 ( m ), where m is not necessarily the same index as recited above for the filter criteria F.
- a generator module 100 operates to select 102 which one (or ones, in combination) of the trigger filter modules 14 ( 1 )- 14 ( n ) are chosen to operate on the packet traffic 16 , as well as which one (or ones, in combination) of the confirmation filter modules 26 ( 1 )- 26 ( m ) are chosen to operate on the suspicious portion 22 of the traffic 16 produced by the first filter 14 .
- modules 14 ( n ) and 26 ( m ) may represent the existence of corresponding plural sets of criteria 18 and 28 , respectively, within the first and second filters 14 and 26 of FIG. 1.
- Each one of the plurality of trigger filter modules 14 ( 1 )- 14 ( n ) and confirmation filter modules 26 ( 1 )- 26 ( m ) that is available for selection by the generator module 100 is designed to perform a specific screening operation.
- a processing operation is first designed to detect the presence of a certain threat or danger. This processing operation may be referred to as a detection signature.
- detection signature processing operations may need to be designed. These detection signature processing operations may be unique in some situations to certain threats and dangers. In other situations, one detection signature processing operation may be capable of detecting more than one threat or danger.
- a first detection processing operation may be provided as a first portion represented by filtering criteria 18 that is implemented in one of the trigger filter modules 14 ( n ) and a second portion represented by filtering criteria 28 that is implemented in one of the confirmation filter modules 26 ( m ).
- Those modules 14 ( n ) and 26 ( m ) are then selected 102 by the generator module 100 to perform screening operations. The process then repeats for a second and further detection processing operation, if necessary, such that plural modules 14 ( n ) and 26 ( m ) are selected to provide the required protection.
- This signature may be implemented as a single filtering operation using the test. However, when implemented in this fashion, even though the accuracy of the operation would be high (i.e., minimal to no instances of false positives), the test requires substantial processing resources at a single screening level and could significantly delay the passage of the packet traffic. It is recognized that the test may be divided into a number of factors. Continuing with the example set for above, the factors may be two, in which case the test may be factorized into a first portion referred to as a “trigger” and a second portion “confirmation” such that:
- the trigger portion is recognized as requiring less processing resources and may be performed without significant delay in packet throughput, but with a lower degree of accuracy (i.e., a greater likelihood of false positives).
- the confirmation portion requires significant processing resources and operates to accurately identify the false positives.
- the signature Sx may be implemented through a pair of filtering operations, with the trigger portion comprising the criteria 18 for one trigger filter module 14 ( n ) and the confirmation portion comprising the criteria 28 for one confirmation filter module 26 ( m ).
- the trigger may further be recognized as being configurable as a function of several sub-factors v such that:
- the sub-factors v may be any one or more of the following: test; the processing capabilities of the level (more specifically, the first level 12 ); other detection signatures; traffic; load, and the like.
- trigger could be a function of the sub-factor test in that the criteria 18 may be derived from the overall criteria of the test itself.
- trigger could be a function of the sub-factor processing capability of the trigger filter module 14 (n) in that selection of the criteria 18 is made such that it is readily implementable for efficient processing of the packet traffic with minimal throughput delay.
- trigger could be a function of the subfactor of other threat or danger detection signatures by recognizing commonalities between the signatures and choosing a single criteria 18 more efficiently useful in identifying suspicious traffic with respect to plural threats or dangers.
- trigger could be a function of the sub-factor current traffic or load situation for the engine 10 such that different criteria 18 would be used depending on current traffic and load characteristics at each level.
- the generator module 100 exercises a level of dynamic control over the screening process implemented at each level. More specifically, with respect to a given detection signature, multiple modules 14 ( n ) may be available for selection by the generator module 100 depending on any one or more factors (such as loading or traffic mix). Responsive to those factors, the generator module 100 switches among and between the modules 14 ( n ) for purposes of triggering a suspicion of a threat or danger in the traffic 16 and generating the portion 22 for further evaluation in the second level 24 . In making the switch, the generator module 100 may balance accuracy concerns against throughput concerns as well as evaluate relative loading on the various levels of the engine 10 to provide for an appropriate degree of sharing.
- factors such as loading or traffic mix
- multiple modules 26 ( m ) may be available for selection by the generator module 100 . Which of those modules is selected may depend on which module(s) 14 ( n ) are selected, as well as the same accuracy/throughput balancing and load sharing factors that influence the module 14 ( n ) selection. As discussed above, appropriate hysteresis controls may be implemented to govern when changes in the selected modules 14 ( n ) and 26 ( m ) are made.
- some complexity is eliminated in the first level processing thus allowing for a faster throughput and transfer for the detailed screening operation to the second level where it may be performed only against the failing traffic portion 22 .
- the detection signature for a first test may comprise a certain string ABCD (long string compare), while the detection signature for a second test may comprise a certain string AEFG (also a long string compare)
- the strings to be found by each of the tests shares string component A in common.
- a criteria 18 evaluated by the trigger filter 14 may be established to detect on the presence of string component A (i.e., a short string compare), with the benefit that this single trigger is used to relatively quickly detect the suspicion of the presence of the strings ABCD and AEFG.
- the trigger then becomes a function of not only the individual tests, but more importantly a plurality of detection signatures.
- triggering on string component A may generate a number of false positive catches (from benign strings that also include A) that would have to be caught in the long string compare confirmation filter by accurately applying the tests for strings ABCD and AEFG.
- the generator 100 monitors traffic load and type, and more particularly measures the effectiveness of the trigger filtering operation in predicting the presence of threatening or dangerous traffic, and dynamically adjusts the trigger to compensate.
- the generator 100 may detect a substantial amount of benign traffic originating from port 33000 being inadvertently caught by the trigger. This is undesirable because it slows the throughput of this benign traffic and unnecessarily adds to the processing load carried by the second level.
- This combination operation for the trigger filter criteria 18 adds slightly to the complexity of the first level operation while providing significant benefits in reducing second level load and improving the accuracy of the first level triggering operation.
- the generator 100 monitors load of the processing functions performed at each of the levels and dynamically adjusts the trigger as a function of load to compensate for overloads/underloads due to fluctuations in traffic and the accuracies of the screening processes performed at each level. For example, as discussed above, when the trigger allows excessive benign traffic to pass, load increases on the second level as it processes the suspicious traffic to detect the presence of threatening or dangerous traffic therein. This condition is detected by the generator 100 and an adjustment is made to increase the accuracy of the filtering operation performed at the first level. Similarly, when traffic is light, load on the first level decreases and the generator 100 may increase the accuracy of the first level filtering operation to increase its load and relieve the second level of some load. Conversely, when traffic is heavy, the first level processing load increases and the generator 100 may operate to decrease the accuracy of the first level processing to allow load decreases and a corresponding increase in throughput. Load balancing between the included filtering levels may thus be achieved.
- FIGS. 1 - 3 With respect to the filtering operations performed by the filters 14 and 26 at each of the levels in any of the embodiments, a number of processing functions may be considered and evaluated for purposes of use in, or in connection with, the filtering criteria.
- OSI layer 1 the physical hardware interface for packet communication may be considered.
- OSI layer 2 the following data link related coding, addressing and transmitting information may be considered: ethernet source/destination address, VLAN PRI/CFI, VLAN identifier and ethernet type, and MPLS labels.
- IP fields for example, source/destination address, payload length, fragbits, header length, ID field, offset field, options, protocol field, type of service field, time-to-live field and version field
- ARP fields ender and target MAC or protocol address, protocol or hardware type or size
- TCP fields source/destination port, data length, header length, acknowledgment number, flags, sequence number, urgent pointer, window and checksum
- ICMP type, code, sequence, ID, data length, checksum, icmp.code
- UDP source/destination port
- the processing functions may additionally evaluate protocol decode information as follows: HTTP (all header fields including request line, method, URI, protocol, host, content length, body), DNS, SMTP, SNMP, SMP, FTP, and the like. Still further, the processing functions may evaluate: fixed string-fixed offset, fixed string-variable offset, regular expression-fixed offset, regular expression-variable offset, collection of events, sequences of events, fragmentation, connection state, flow reassembly, normalization techniques (detect and eliminate overlapping fragments, evasion techniques), and hex and unicode decoding.
- the filtering alternations implemented in any of the disclosed embodiments may alternatively be selected and controlled by human intervention.
- the filtering criteria are user defined to tailor operation to the desires of the human manager, rather than operate under automatic control responsive to measured factors. It is also possible for the automatic operation to select a number of options for altering the filtering criteria, with those options presented to the human manager for consideration and selection.
Abstract
Description
- 1. Technical Field of the Invention
- The present invention relates to the screening of packet traffic at multiple levels and, in particular, to a hierarchical screening technique where the filter screen criteria at each level may be dynamically selected based on, for example, processing capabilities at each level and/or variations in packet traffic mix.
- 2. Description of Related Art
- The need to screen packet traffic arises in a number of recognized scenarios. One such scenario is in the context of a network intrusion detection system (IDS) application where passing packet traffic is examined for threatening or dangerous content. When such a threat is detected, the suspect packet traffic is identified and captured or dropped (perhaps using a firewall) before it has a chance to enter a protected network.
- It is known that the screening operation performed to examine the packet traffic takes time and thus can delay packet traffic transport throughput. This delay concern is magnified as the volume of traffic to be examined increases and the intrusion detection system presents a potential bottleneck to packet traffic passage. Further delays in throughput time result from the use of more comprehensive (and time consuming) screening operations.
- A need accordingly exists for a more efficient approach to packet screening.
- In accordance with one aspect of the present invention, packet filtering is performed by first filtering packet traffic with a first filtering criteria to generate a first pass traffic portion and a fail traffic portion. The fail traffic portion is then second filtered with a second filtering criteria to generate a second pass traffic portion and a reject traffic portion.
- In a particular embodiment, the first filtering detects suspicious packet traffic for output as the fail traffic portion and the second filtering detects threatening packet traffic within the suspicious packet traffic for output as the reject traffic portion. In a related embodiment, the first filtering triggers a suspicion of dangerous packets within the packet traffic and produces suspicious packets as the fail traffic portion, while the second filtering confirms the presence of dangerous packet traffic within the fail traffic portion and selects dangerous packets as the reject traffic portion.
- In a further embodiment, load is measured, with the first and second filtering criteria being dynamically selected and altered based on measured load. Changes to the selected first and second filtering criteria are based on changes in measured load. In a particular implementation, the measurement of load detects an imbalance in load between the first and second filtering operations. The dynamic selection then operates to alter the first and second filtering criteria to better balance filtering load.
- In another embodiment, the first set of filtering criteria are characterized by being higher throughput, lower accuracy filtering criteria, and the second set of filtering criteria are characterized by being lower throughput, higher accuracy filtering criteria. The operation for dynamic selection adjusts the relative throughputs and accuracies of the first and second filtering criteria.
- In a related embodiment, the adjustment alters a complexity of the first and second filtering criteria to also alter the relative throughputs and accuracies. This is accomplished through a dynamic adaptation process that is responsive to one or more characteristics and/or factors.
- In another related embodiment, the adjustment alters a comprehensiveness of the first and second filtering criteria to also alter the relative throughputs and accuracies. Again, this is accomplished through a dynamic adaptation process that is responsive to one or more characteristics and/or factors.
- A more complete understanding of the method and apparatus of the present invention may be acquired by reference to the following Detailed Description when taken in conjunction with the accompanying Drawings wherein:
- FIG. 1 is a block diagram illustrating a hierarchical approach to packet traffic screening in accordance with an embodiment of the present invention;
- FIG. 2 is a block diagram illustrating a hierarchical approach to packet traffic screening in accordance with another embodiment of the present invention;
- FIG. 3 is a block diagram illustrating a hierarchical approach to packet traffic screening in accordance with yet another embodiment of the present invention.
- Reference is now made to FIG. 1 wherein there is shown a block diagram illustrating a hierarchical approach to packet traffic screening in accordance with an embodiment of the present invention. A screening engine10 (useful in a number of applications including, for example, network protection, intrusion detection, firewalling, anti-virus content filtering, and the like) implements a multi-level processing technique. In a first level 12 (also referred to as a triggering or detection level), a corresponding
first filter 14 receivespacket traffic 16 and screens that received traffic against a first set offiltering criteria 18. Aportion 20 of the receivedtraffic 16 that passes the first set offiltering criteria 18 is output from thescreening engine 10. Aportion 22 of the receivedtraffic 16 which does not pass the first set offiltering criteria 18, however, is forwarded on for further examination by asecond level 24 of thescreening engine 10. The second level 24 (also referred to as a confirmation or catch level) implements a correspondingsecond filter 26 that receives the failingportion 22 of thepacket traffic 16 and screens that received traffic against a second set offiltering criteria 28. Aportion 30 of the received traffic (failing portion) 22 passes the second set offiltering criteria 28 and is output from thescreening engine 10 to join thepacket portion 20 as the pass packet traffic output. Aportion 32 of the received traffic (failing portion) 22 which does not pass the second set offiltering criteria 28, however, is then rejected. The rejected packets are then output and acted on as needed (for example, by logging, discarding, alert generation, and the like). - Although two levels of hierarchical processing are illustrated in FIG. 1, it will be understood by those skilled in the art that this is exemplary in nature. The embodiment of the present invention illustrated in FIG. 1 may include three or more levels of processing if desired, with each subsequent and/or additional level being structured in a manner similar to the levels of the first and/or second filters. Generally speaking, with each increase in level comes a more stringent examination of the packets using filtering criteria designed at each incremental level to more accurately detect suspicious or dangerous traffic.
- Still further, although FIG. 1 primarily illustrates all traffic that fails the first filtering test (i.e., the failing portion22) being passed on for second filter processing, it will be understood that, depending on the
filtering criteria 18 being applied by thefirst filter 14, it is likely that the first filter will be able to identify some of the traffic in theportion 22 as definitely being threatening or dangerous. This unambiguously recognizedportion 22′ of dangerous traffic need not be further processed in thesecond filter 26 for confirmation and may instead be passed on directly with the rejected portion 32 (as shown by the dotted line) to form the rejected packet output for further handling as needed. An advantage of configuring theengine 10 in such a manner is an increase in throughput with respect tosecond level 24 processing. - A certain relationship is defined between the screening criteria implemented by the first and
second filters screening engine 10 throughput performance (speed and accuracy). The first set offiltering criteria 18 are implemented as a triggering mechanism to allow for relatively high speed examination of the receivedpacket traffic 16 where limited processing capability filtering is used with a design to catch substantially all suspicious traffic, understanding that thefilter 14 will inevitably erroneously additionally capture some benign traffic (i.e., accuracy is relatively low and there will be a number of false positives) along with the dangerous traffic. As an example, thisfirst level 12 screening implicates header field compares and trigger content searches (i.e., short string compares) that can be performed at higher speed using less complex algorithms and processes with the screened output being more susceptible to including errors. The second set offiltering criteria 28, on the other hand, are implemented as a confirmation mechanism to allow for lower speed examination of theportion 22 of thepacket traffic 16 where more complex processing capability filtering is used with a design to more carefully examine the suspicious traffic (identified by the first filter 14) and identify the most likely threatening or dangerous traffic, understanding again that thefilter 26 may erroneously capture some benign traffic (i.e., accuracy is relatively high, although there could be a minimal number of false positives), but that the likelihood of this occurring will be significantly smaller than that experienced with thefirst filter 14. As an example, thissecond level 24 screening implicates protocol decoders and regular expression matching (i.e., long string compares) at lower speed using more complex algorithms and processes with the screened output being less susceptible to including errors. - It will be understood that by including additional levels (above the second filter) an improvement in the accuracy of the system may be obtained while spreading the processing load out over more filters. However, these benefits are obtained at the expense of additional filtering operations and further possible delays in packet throughput.
- The accuracy/throughput relationship between the first set of filtering criteria18 (for triggering suspicion) and the second set of filtering criteria 28 (for confirming presence) may be better understood using an example. The first set of
filtering criteria 18 in an exemplary implementation may include a screen designed to quickly examine passing packets and to cast a broad net for the capture of any traffic that is even remotely suspicious (for example, based on header field compares and short string compares). Because this triggering screen does not necessarily require a detailed or comprehensive examination of each passing packet in thetraffic 16, the analysis performed by thefirst filter 14 may be completed relatively quickly on a packet-by-packet basis thus enabling, with respect to theportion 20 of the receivedtraffic 16 that passes, a relatively high throughput. However, because the screening analysis is not especially detailed or comprehensive, and more specifically because the parameters of the screen are broader and more encompassing in character, the failingportion 22 of the traffic that is caught and passed on for further analysis will likely include a number of packets that are not dangerous (i.e., false positives due to low accuracy). Finding those erroneously captured packets is one of the jobs of thesecond filter 26. The second set offiltering criteria 28 in an exemplary implementation may include a screen designed to more thoroughly examine thesuspicious packet portion 22 and carefully consider the packets (either alone or in combination groups with other preceding packets) for dangerous content (for example, based on protocol decoders and long string compares). Because this confirmation screen implements a more detailed or comprehensive examination of each packet output in the first level screenedportion 20, the analysis performed by thesecond filter 26 could take significantly more time per packet and slows the throughput of these packets. However, due to the first level of screening there are fewer packets that need to be more carefully examined. Additionally, because the screening analysis is more detailed and comprehensive, and more specifically because the parameters of the screen are narrower and more focused to look for certain characteristics in the suspicious traffic, only that traffic that is most likely to be dangerous is caught (i.e, accuracy is high), and the remaining traffic is released delayed only slightly by the time required to confirm the legitimacy of that traffic. - Reference is now made to FIG. 2 wherein there is shown a block diagram illustrating a hierarchical approach to packet traffic screening in accordance with another embodiment of the present invention. Like reference numbers refer to similar or identical components. Additionally, although illustrated with only two levels, it will be understood that the embodiment may use three or more levels of filtering as desired.
- It is recognized that the volume and nature of the packet traffic16 (i.e., the traffic mix) tends to vary over time. When the traffic mix is such that screening of the packets do not demand the use of significant processing resources, the
first filter 14 is not highly loaded and could be used to perform additional or more comprehensive screenings. Conversely, when the mix of traffic is such that the first filter is highly loaded in making the trigger processing determinations, some of this processing may be off-loaded to the second filter to more efficient share load. The embodiment of FIG. 2 takes advantage of these natural variations in packet traffic mix by adjusting thecriteria engine 10 may change the first set offiltering criteria 18 to perform, at thefirst filter 14, some of the screening that would otherwise have been performed using the second set offiltering criteria 28 at thesecond filter 26. Even though this “enhanced” first set offiltering criteria 18′ implements a more detailed or comprehensive examination of each packet (i.e., it is, relatively speaking, more accurate), overall throughput may be improved. The enhancement of criteria that are added to form the first set offiltering criteria 18′ are not needed in the second set of filteringcriteria 28, and thus thesecond filter 26 may apply a modified second set offiltering criteria 28′ that continues to implement a comprehensive, but more narrowly focused, screening than was performed in FIG. 1. A switch back and forth between thecriteria 18 and 18 a′ and thecriteria 28 and 28 a′ made be implemented as needed in response to detected changes in traffic mix. - The adjustments made to the first and second sets of filtering criteria essentially comprise altering the relative throughputs and accuracies of the filters. For example, a first filter applying a high throughput, low accuracy set of filtering criteria may be adjusted to provide for a somewhat lower throughput with a higher relative accuracy in certain situations. Conversely, a second filter applying a low throughput, high accuracy set of filtering criteria may be adjusted to provide continued accuracy, but less comprehensive, screenings at a lower relative throughput in those situations. These adjustments are made responsive to detected variations in the packet traffic mix and may be used to correct for a perceived imbalance in load between the first and second filters.
- Load on the
screening engine 10 in general, and its constituent filters in particular, is measured (reference 36) and used to trigger selected changes in the sets of filtering criteria applied by the first andsecond filters reference 42; with respect to relative accuracy, throughput, complexity and/or comprehensiveness, for example) so as to better spread or balance the load between the available filters. Several non-limiting examples of such an operation are provided herein to illustrate the load-responsive operation of theengine 10. - The
load device 36 of thescreening engine 10 may utilize atraffic monitor 40 to measure the volume of certain types ofpacket traffic 16. From this information, theload device 36 dynamically adjusts the filtering criteria being implemented by each of the first andsecond filters packet traffic 16 measured exceeds a first threshold (indicative of a relatively high traffic level), theload device 36 configures the first andsecond filters criteria filtering criteria 18 provide a relatively high speed (high throughput) examination of the receivedpacket traffic 16 with limited processing capability filtering being implemented to catch substantially all suspicious traffic (but not necessarily accurately detect dangerous or threatening traffic), while the second set offiltering criteria 28 provide a lower speed (low throughput) examination of theportion 22 of thepacket traffic 16 with more complex processing capability filtering being implemented to more carefully examine the suspicious traffic and accurately identify the most likely threatening traffic. - If the volume of the certain type of
packet traffic 16 measured later drops below a second threshold (indicative of a relatively low traffic level), theload device 36 configures the first andsecond filters filtering criteria 18′ and 28′, respectively, as discussed above, by modifying the relative throughput and accuracy characteristics of the filtering criteria. In this configuration, the modified first set offiltering criteria 18′ continues to provide for a relatively high speed examination of the receivedpacket traffic 16, however, a slightly more extensive processing capability filtering is implemented to improve accuracy and catch the more (or most)suspicious portion 22 of the traffic 16 (and perhaps generate theportion 22′). The second set offiltering criteria 28′, on the other hand, continues to provide a lower speed examination of theportion 22 of thepacket traffic 16 with more complex processing capability filtering (perhaps minus that used in thefirst filter 14 to provide some improvement in throughput) being implemented to more carefully examine the suspicious traffic and identify the most likely threatening traffic. - The relationships between the first and second sets of filtering
criteria filtering criteria 18′ and 28′ may be better understood using an example. Consider for this example a spectrum of available filtering criteria F(1)-F(n) relating to detection of a certain threat or danger where, for each piece of criteria F: (a) the complexity of the filtering performed by the criteria increases as n increases; (b) the speed of packet screening performed by the criteria decreases as n increases; and (c) the likelihood of the criteria screening process erroneously catching a packet (i.e., a false positive) decreases as n increases. The first set offiltering criteria 18 may comprise certain filtering criteria F(1)-F(m), while the second set offiltering criteria 28 comprise certain filtering criteria F(m+1)-F(n). The division of the spectrum at point m byload device 36 reflects a choice made to balance throughput concerns against accuracy in the first filter. Thus, it is recognized that by utilizing filtering criteria F(1)-F(m) as the first set of filteringcriteria 18, thepackets 16 will be quickly processed, by less complex or comprehensive algorithms, but with an increased likelihood of false positives in theportion 22. Alternatively, the enhanced first set offiltering criteria 18′ may comprise certain filtering criteria F(1)-F(p), while the modified second set offiltering criteria 28′ comprise certain filtering criteria F(p+1)-F(n), wherein p>m. The division of the spectrum at point p again reflects a choice made by theload device 36 to balance throughput concerns against accuracy at the first filter. However, in this case, because the volume of packet traffic is lower, there is less concern over satisfactorily handling throughput, which allows a more accurate and complex screen to be used by thefirst filter 14 by including in the enhanced first set offiltering criteria 18′ the filtering criteria F(m)-F(p) which otherwise would have been implemented by the second set of filteringcriteria 28. With the inclusion of criteria F(m)-F(p) in the enhanced first set offiltering criteria 18′, there is no need for those criteria to again be applied at another level thus allowing for the implementation of the modified second set offiltering criteria 28′. Because the modified second set offiltering criteria 28′ is now performing fewer checks on theportion 22, processing speed for each examined packet should increase (with no degradation, however, in accuracy). - The selection of where the division point (m, p, or the like) lies in the spectrum of available filtering criteria F(1)-F(n) is made by the
load device 36 using, for example, atraffic monitor 40 measured level of packet volume. When the measured volume is relatively high, for example at or above the first threshold, the division point is selected closer to the F(1) end of the spectrum (relatively speaking, higher throughput and lower accuracy). Conversely, when the measured volume is relatively low, for example at or below the second threshold, the division point is selected closer to the F(n) end of the spectrum (relatively speaking, lower throughput and higher accuracy). Generally speaking, the first and second thresholds are different (with first>second) to define a hysteresis of traffic volume change which must be overcome before a switch in the applied sets of filtering criteria is made by theload device 36. This hysteresis prevents theload device 36 from changing the applied sets of filtering criteria in a ping-pong manner responsive to normal and expected fluctuations in measured volume. It is only responsive to a change in measured volume that overcomes the hysteresis that applied sets of filtering criteria are switched. - The
traffic monitor 40 may sample the volume of packet traffic with any selected rate desired by the user. Choosing a faster rate allows theengine 10load device 36 to dynamically respond more quickly to volume changes with corresponding switches in the sets of filtering criteria. A faster rate also allows theload device 36 to consider more data points with each determination. In this way, it will be understood that the measured volume used for making the criteria switching determination may comprise either an instantaneous volume presented by a single data point or an average (or mean) volume presented by a plurality of data points. - Although the foregoing example illustrates the
traffic monitor 40 operating in a specific example to measure overall volume, it will be understood that other traffic-related characteristics may additionally or alternatively be measured for purposes of assisting in theload device 36 determination of filtering criteria assignment. For example, thetraffic monitor 40 may identify traffic type and measure volume separately for each traffic type. In this context, theengine 10 may have a particular interest in a certain type of traffic, where type may refer to protocol type (HTTP, FTP, DNS, and the like), because filter screening of traffic of that type requires significantly greater amounts of processing resources than other traffic. In the event a significant amount of such traffic were detected, some adjustment may need to be made to the first set offiltering criteria 18 to ensure that thefirst filter 14 was not overloaded by the presence of that traffic. Still further, thetraffic monitor 40 may identify traffic origination and measure volume separately for certain originations or destinations of interest. In this context, theengine 10 may have a particular interest in a certain origin of traffic, where origin may refer to origination address, port ID, protocol destination address, because filter screening of traffic from that origin requires significantly greater amounts of processing resources than other traffic. In the event a significant amount of such traffic were detected, some adjustment may need to be made to the first set offiltering criteria 18 to ensure that thefirst filter 14 was not overloaded by the presence of that traffic. - As an alternative, the
load device 36 may include a filter load monitor 40′ that operates to measure the processing load on each of thefirst filter 14 and thesecond filter 26. In the event the load monitor 40′ discovers that either filter is overloaded in its processing of received packets (for example, when the dropping of packets is detected) or is approaching an overload situation (for example, when processor utilization and/or memory utilization exceed certain thresholds), this indicates that the packet handling loads for theengine 10 are not properly balanced between the first andsecond filters load device 36 may adjust the sets of filtering criteria implemented by the filters (with respect to relative throughput and accuracy, for example) to better balance the load and improve performance. For example, if the load monitor 40′ detects that thefirst filter 14 is overloaded, the sets of filtering criteria implemented by the filters are adjusted so that a less accurate set of filtering criteria (i.e., the division point is selected closer to the F(1) end of the spectrum) is selected for the first filter. This, of course, results in more false positive catches at the first filter and increases the load on thesecond filter 26 which now must apply a more accurate set of filtering criteria to a large number of packets. However, if the balance point is selected properly the load on the first filter will fall below its overload level and the load on the second filter will not increase above its overload level. Conversely, if the load monitor 40′ detects that thesecond filter 26 is overloaded, the sets of filtering criteria implemented by the filters are adjusted so that a more accurate set of filtering criteria (i.e., the division point is selected closer to the F(n) end of the spectrum) is selected for thefirst filter 14. This, of course, results in fewer false positive catches with increased load at thefirst filter 14, but allows thesecond filter 26 to focus on a more extensive examination without danger of overload. - The load monitor40′ may alternatively operate to measure filter load in comparison to a threshold representing a percentage of load capacity. In the event the measured filter load exceeds the threshold, the
load device 36 initiates a load balancing operation. Filter load in this instance may comprise a measure of false positives generated by a given filter level. In the event the load monitor 40′ detects from higher level filter (for example, the second filter 26) analysis that a lower level filter (for example, the first filter 14) is generating an excessive number of false positives, theload device 36 may instruct the lower level filter to adjust its set of filtering criteria to increase accuracy. Responsive thereto a more comprehensive set of filtering criteria may be instantiated by the lower level filter. A corresponding change may, or may not, be implemented by the higher level filter to remove redundant filtering criteria. - To prevent filter load measurements from causing ping-pong adjustments in the filtering criteria as load naturally varies over time, an appropriately selected hysteresis may be used to inhibit changes in the same manner as discussed above with respect to traffic volume.
- Although the
load device 36 and its associatedtraffic monitor 40 and/or load monitor 40′ are illustrated as being functionally separate from the first and second filters, it will be understood that the load balancing-related functionalities may be integrated within the first and second filters (as illustrated by interconnected 44dotted boxes 36′). For example, as a further alternative, the higher level filter (for example, the second filter 26) may, on its own, be configured to detect that a lower level filter (for example, the first filter 14) is generating an excessive number of false positives. This could be recognized, for example, by comparing the number of packets it receives (i.e., the suspicious packets) to the number of packets it rejects. Responsive thereto, the higher level filter may be overloaded by the processing of too many false positives and issues a request to the lower level filter to instantiate a more comprehensive set of filtering criteria (i.e., criteria that are less likely to capture false positives in the suspicious traffic). The lower level filter, responsive to that request, examines its own loading factor and, if the requested change would not place the lower level filter in danger of overload, implements the new filtering criteria as requested. Conversely, the lower level filter evaluates its own loading factor and, if it is determined to be in danger of overload instantiates a less comprehensive set of filtering criteria that would allow for faster throughput with an increased likelihood of capturing false positives within the identified suspicious traffic. The higher level filter is informed of this change and responds, if necessary, by instantiating a more comprehensive set of filtering criteria to account for the criteria change implemented at the lower level. - Reference is now made to FIG. 3 wherein there is shown a block diagram illustrating a hierarchical approach to packet traffic screening in accordance with another embodiment of the present invention. Like reference numbers refer to similar or identical components. Additionally, although illustrated with only two levels, it will be understood that the embodiment may use three or more levels of filtering as desired.
- The
first filter 14 is implemented through a selected one or more of a plurality of trigger filter modules 14(1)-14(n), where n is not necessarily the same index as recited above for the filter criteria F. Similarly, thesecond filter 26 is implemented through a selected one or more of a plurality of confirmation filter modules 26(1)-26(m), where m is not necessarily the same index as recited above for the filter criteria F. A generator module 100 operates to select 102 which one (or ones, in combination) of the trigger filter modules 14(1)-14(n) are chosen to operate on thepacket traffic 16, as well as which one (or ones, in combination) of the confirmation filter modules 26(1)-26(m) are chosen to operate on thesuspicious portion 22 of thetraffic 16 produced by thefirst filter 14. - In this context, the modules14(n) and 26(m) may represent the existence of corresponding plural sets of
criteria second filters - Each one of the plurality of trigger filter modules14(1)-14(n) and confirmation filter modules 26(1)-26(m) that is available for selection by the generator module 100 is designed to perform a specific screening operation. A processing operation is first designed to detect the presence of a certain threat or danger. This processing operation may be referred to as a detection signature. To address a wide array of threats and dangers posed by the packet traffic, numerous detection signature processing operations may need to be designed. These detection signature processing operations may be unique in some situations to certain threats and dangers. In other situations, one detection signature processing operation may be capable of detecting more than one threat or danger. Nonetheless, once in possession of an arsenal of detection signature processing operations, a determination is next made as to which of the threats or dangers (for which signatures exist) the
engine 10 is going to implemented to protect against. Having made that decision, the specific detection signature processing operations for those chosen threats or dangers are evaluated and a determination is made as to which portions of the specific detection signature processing operations are to be implemented at each level of theengine 10. For example, a first detection processing operation may be provided as a first portion represented by filteringcriteria 18 that is implemented in one of the trigger filter modules 14(n) and a second portion represented by filteringcriteria 28 that is implemented in one of the confirmation filter modules 26(m). Those modules 14(n) and 26(m) are then selected 102 by the generator module 100 to perform screening operations. The process then repeats for a second and further detection processing operation, if necessary, such that plural modules 14(n) and 26(m) are selected to provide the required protection. - The foregoing operation may be better understood through an example. Consider a certain detection signature Sx that is defined by a processing operation for screening packet traffic referred to as a “test” such that:
- Sx=test.
- This signature may be implemented as a single filtering operation using the test. However, when implemented in this fashion, even though the accuracy of the operation would be high (i.e., minimal to no instances of false positives), the test requires substantial processing resources at a single screening level and could significantly delay the passage of the packet traffic. It is recognized that the test may be divided into a number of factors. Continuing with the example set for above, the factors may be two, in which case the test may be factorized into a first portion referred to as a “trigger” and a second portion “confirmation” such that:
- Sx=trigger+confirmation=test.
- In this scenario, the trigger portion is recognized as requiring less processing resources and may be performed without significant delay in packet throughput, but with a lower degree of accuracy (i.e., a greater likelihood of false positives). The confirmation portion requires significant processing resources and operates to accurately identify the false positives. Thus, the signature Sx may be implemented through a pair of filtering operations, with the trigger portion comprising the
criteria 18 for one trigger filter module 14(n) and the confirmation portion comprising thecriteria 28 for one confirmation filter module 26(m). The trigger may further be recognized as being configurable as a function of several sub-factors v such that: - trigger=f(v),
- wherein the sub-factors v may be any one or more of the following: test; the processing capabilities of the level (more specifically, the first level12); other detection signatures; traffic; load, and the like. With respect to test, trigger could be a function of the sub-factor test in that the
criteria 18 may be derived from the overall criteria of the test itself. With respect to processing capability, trigger could be a function of the sub-factor processing capability of the trigger filter module 14 (n) in that selection of thecriteria 18 is made such that it is readily implementable for efficient processing of the packet traffic with minimal throughput delay. With respect to other detection signatures, trigger could be a function of the subfactor of other threat or danger detection signatures by recognizing commonalities between the signatures and choosing asingle criteria 18 more efficiently useful in identifying suspicious traffic with respect to plural threats or dangers. With respect to traffic and load, trigger could be a function of the sub-factor current traffic or load situation for theengine 10 such thatdifferent criteria 18 would be used depending on current traffic and load characteristics at each level. - By selectively choosing the one or ones of the modules14(n) and 26(m), the generator module 100 exercises a level of dynamic control over the screening process implemented at each level. More specifically, with respect to a given detection signature, multiple modules 14(n) may be available for selection by the generator module 100 depending on any one or more factors (such as loading or traffic mix). Responsive to those factors, the generator module 100 switches among and between the modules 14(n) for purposes of triggering a suspicion of a threat or danger in the
traffic 16 and generating theportion 22 for further evaluation in thesecond level 24. In making the switch, the generator module 100 may balance accuracy concerns against throughput concerns as well as evaluate relative loading on the various levels of theengine 10 to provide for an appropriate degree of sharing. Similarly, multiple modules 26(m) may be available for selection by the generator module 100. Which of those modules is selected may depend on which module(s) 14(n) are selected, as well as the same accuracy/throughput balancing and load sharing factors that influence the module 14(n) selection. As discussed above, appropriate hysteresis controls may be implemented to govern when changes in the selected modules 14(n) and 26(m) are made. - The consideration of sub-factors alone and in combination may be better understood through the examination of certain examples. For the sub-factors test and processing capabilities, assume that the test is for a tcp_port>=34000. It is recognized that filtering on a port greater than or equal to 34000 is a relatively complex operation. It is also recognized that filtering on a port greater than 32768 (which inherently tests for >=34000) is a much easier, and faster, processing operation since only a single binary bit in the port number needs to be examined to make the greater than or equal to determination. The trigger then becomes tcp_port>=32768 which is viewed as being a function of both the test (tcp_port>=34000) and perhaps the processing capabilities of the first filter level. Notably, the difference between 34000 and 32768 in the
criteria 18 evaluated by thetrigger filter 14 also causes the generation of a number of false positive catches that would have to be caught in the confirmation filter by accurately applying the test (tcp_port>=34000). However, some complexity is eliminated in the first level processing thus allowing for a faster throughput and transfer for the detailed screening operation to the second level where it may be performed only against the failingtraffic portion 22. - Consider next the sub-factor for other detection signatures. In this scenario, the detection signature for a first test may comprise a certain string ABCD (long string compare), while the detection signature for a second test may comprise a certain string AEFG (also a long string compare) It is noted that the strings to be found by each of the tests shares string component A in common. Thus, a
criteria 18 evaluated by thetrigger filter 14 may be established to detect on the presence of string component A (i.e., a short string compare), with the benefit that this single trigger is used to relatively quickly detect the suspicion of the presence of the strings ABCD and AEFG. In this regard, the trigger then becomes a function of not only the individual tests, but more importantly a plurality of detection signatures. Again, it is worth noting that triggering on string component A may generate a number of false positive catches (from benign strings that also include A) that would have to be caught in the long string compare confirmation filter by accurately applying the tests for strings ABCD and AEFG. - Turning next to the sub-factor for traffic, the generator100 monitors traffic load and type, and more particularly measures the effectiveness of the trigger filtering operation in predicting the presence of threatening or dangerous traffic, and dynamically adjusts the trigger to compensate. Returning again to the example above concerning the test (tcp_port>=34000) and the implemented trigger (tcp_port>=32768), the generator 100 may detect a substantial amount of benign traffic originating from port 33000 being inadvertently caught by the trigger. This is undesirable because it slows the throughput of this benign traffic and unnecessarily adds to the processing load carried by the second level. To address this concern, the trigger may be set as a function of the traffic load/type by adding to the trigger (tcp_port>=32768) an operation for detecting (tcp_port≠33000). This combination operation for the
trigger filter criteria 18 adds slightly to the complexity of the first level operation while providing significant benefits in reducing second level load and improving the accuracy of the first level triggering operation. - With respect to the sub-factor for processor load, the generator100 monitors load of the processing functions performed at each of the levels and dynamically adjusts the trigger as a function of load to compensate for overloads/underloads due to fluctuations in traffic and the accuracies of the screening processes performed at each level. For example, as discussed above, when the trigger allows excessive benign traffic to pass, load increases on the second level as it processes the suspicious traffic to detect the presence of threatening or dangerous traffic therein. This condition is detected by the generator 100 and an adjustment is made to increase the accuracy of the filtering operation performed at the first level. Similarly, when traffic is light, load on the first level decreases and the generator 100 may increase the accuracy of the first level filtering operation to increase its load and relieve the second level of some load. Conversely, when traffic is heavy, the first level processing load increases and the generator 100 may operate to decrease the accuracy of the first level processing to allow load decreases and a corresponding increase in throughput. Load balancing between the included filtering levels may thus be achieved.
- Reference is now made to FIGS.1-3. With respect to the filtering operations performed by the
filters OSI layer 1, the physical hardware interface for packet communication may be considered. At OSI layer 2, the following data link related coding, addressing and transmitting information may be considered: ethernet source/destination address, VLAN PRI/CFI, VLAN identifier and ethernet type, and MPLS labels. At OSI layer 3, the following network related transport route, message handling and transfer information may be considered: IP fields (for example, source/destination address, payload length, fragbits, header length, ID field, offset field, options, protocol field, type of service field, time-to-live field and version field), and ARP fields (sender and target MAC or protocol address, protocol or hardware type or size). Additionally, at OSI layer 4, the following transport related delivery service and quality information may be considered: TCP fields (source/destination port, data length, header length, acknowledgment number, flags, sequence number, urgent pointer, window and checksum), ICMP (type, code, sequence, ID, data length, checksum, icmp.code), and UDP (source/destination port). The processing functions may additionally evaluate protocol decode information as follows: HTTP (all header fields including request line, method, URI, protocol, host, content length, body), DNS, SMTP, SNMP, SMP, FTP, and the like. Still further, the processing functions may evaluate: fixed string-fixed offset, fixed string-variable offset, regular expression-fixed offset, regular expression-variable offset, collection of events, sequences of events, fragmentation, connection state, flow reassembly, normalization techniques (detect and eliminate overlapping fragments, evasion techniques), and hex and unicode decoding. - While automatic dynamic alteration has been discussed above, it will be recognized that the filtering alternations implemented in any of the disclosed embodiments may alternatively be selected and controlled by human intervention. In this way, the filtering criteria are user defined to tailor operation to the desires of the human manager, rather than operate under automatic control responsive to measured factors. It is also possible for the automatic operation to select a number of options for altering the filtering criteria, with those options presented to the human manager for consideration and selection.
- Although preferred embodiments of the method and apparatus of the present invention have been illustrated in the accompanying Drawings and described in the foregoing Detailed Description, it will be understood that the invention is not limited to the embodiments disclosed, but is capable of numerous rearrangements, modifications and substitutions without departing from the spirit of the invention as set forth and defined by the following claims.
Claims (77)
Priority Applications (7)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/217,862 US6983323B2 (en) | 2002-08-12 | 2002-08-12 | Multi-level packet screening with dynamically selected filtering criteria |
DE60336240T DE60336240D1 (en) | 2002-08-12 | 2003-08-11 | PACKAGE SCREENING AT MULTIPLE LEVELS WITH DYNAMICALLY SELECTED FILTERING CRITERIA |
PCT/US2003/025070 WO2004015586A1 (en) | 2002-08-12 | 2003-08-11 | Multi-level packet screening with dynamically selected filtering criteria |
EP03785167A EP1540502B1 (en) | 2002-08-12 | 2003-08-11 | Multi-level packet screening with dynamically selected filtering criteria |
AT03785167T ATE500675T1 (en) | 2002-08-12 | 2003-08-11 | MULTI-LEVEL PACKET SCREENING WITH DYNAMIC SELECTED FILTERING CRITERIA |
CNB038241102A CN100445980C (en) | 2002-08-12 | 2003-08-11 | Multi-level packet screening with dynamically selected filtering criteria |
AU2003265399A AU2003265399A1 (en) | 2002-08-12 | 2003-08-11 | Multi-level packet screening with dynamically selected filtering criteria |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/217,862 US6983323B2 (en) | 2002-08-12 | 2002-08-12 | Multi-level packet screening with dynamically selected filtering criteria |
Publications (2)
Publication Number | Publication Date |
---|---|
US20040030776A1 true US20040030776A1 (en) | 2004-02-12 |
US6983323B2 US6983323B2 (en) | 2006-01-03 |
Family
ID=31495239
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/217,862 Expired - Lifetime US6983323B2 (en) | 2002-08-12 | 2002-08-12 | Multi-level packet screening with dynamically selected filtering criteria |
Country Status (7)
Country | Link |
---|---|
US (1) | US6983323B2 (en) |
EP (1) | EP1540502B1 (en) |
CN (1) | CN100445980C (en) |
AT (1) | ATE500675T1 (en) |
AU (1) | AU2003265399A1 (en) |
DE (1) | DE60336240D1 (en) |
WO (1) | WO2004015586A1 (en) |
Cited By (80)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020078223A1 (en) * | 2000-10-17 | 2002-06-20 | Baldonado Omar C. | Method and apparatus for performance and cost optimization in an internetwork |
US20030039212A1 (en) * | 2000-10-17 | 2003-02-27 | Lloyd Michael A. | Method and apparatus for the assessment and optimization of network traffic |
US20030120935A1 (en) * | 2001-12-20 | 2003-06-26 | Coretrace Corporation | Kernel-based network security infrastructure |
US20030161321A1 (en) * | 2000-10-17 | 2003-08-28 | Karam Mansour J. | Method and apparatus for characterizing the quality of a network path |
US20040015554A1 (en) * | 2002-07-16 | 2004-01-22 | Brian Wilson | Active e-mail filter with challenge-response |
US20040167968A1 (en) * | 2003-02-20 | 2004-08-26 | Mailfrontier, Inc. | Using distinguishing properties to classify messages |
US20040205098A1 (en) * | 2000-10-17 | 2004-10-14 | Lloyd Michael A. | Load optimization |
US20050008009A1 (en) * | 2003-06-27 | 2005-01-13 | Broadcom Corporation | Single and double tagging schemes for packet processing in a network device |
US20050192001A1 (en) * | 2004-02-26 | 2005-09-01 | Isaac Samuel | Controlling processor load in a wireless telecommunications network node |
US20060072543A1 (en) * | 2004-09-09 | 2006-04-06 | Lloyd Michael A | Methods of and systems for remote outbound control |
US20060112430A1 (en) * | 2004-11-19 | 2006-05-25 | Deisenroth Jerrold M | Method and apparatus for immunizing data in computer systems from corruption |
US20060174343A1 (en) * | 2004-11-30 | 2006-08-03 | Sensory Networks, Inc. | Apparatus and method for acceleration of security applications through pre-filtering |
US20060182124A1 (en) * | 2005-02-15 | 2006-08-17 | Sytex, Inc. | Cipher Key Exchange Methodology |
US20060288217A1 (en) * | 2005-06-01 | 2006-12-21 | Jennings James S | System and method for generating feature-based models of software and content for automatic recognition |
US20070039051A1 (en) * | 2004-11-30 | 2007-02-15 | Sensory Networks, Inc. | Apparatus And Method For Acceleration of Security Applications Through Pre-Filtering |
US20070064715A1 (en) * | 2002-07-25 | 2007-03-22 | Avaya, Inc. | Method and apparatus for the assessment and optimization of network traffic |
US20070115840A1 (en) * | 2000-10-17 | 2007-05-24 | Feick Wayne A | Method and apparatus for communicating data within measurement traffic |
US20070153689A1 (en) * | 2006-01-03 | 2007-07-05 | Alcatel | Method and apparatus for monitoring malicious traffic in communication networks |
US20070258437A1 (en) * | 2006-05-05 | 2007-11-08 | Broadcom Corporation, A California Corporation | Switching network employing server quarantine functionality |
US20070258469A1 (en) * | 2006-05-05 | 2007-11-08 | Broadcom Corporation, A California Corporation | Switching network employing adware quarantine techniques |
US20080021969A1 (en) * | 2003-02-20 | 2008-01-24 | Sonicwall, Inc. | Signature generation using message summaries |
US20080120413A1 (en) * | 2006-11-16 | 2008-05-22 | Comcast Cable Holdings, Lcc | Process for abuse mitigation |
US7406502B1 (en) | 2003-02-20 | 2008-07-29 | Sonicwall, Inc. | Method and system for classifying a message based on canonical equivalent of acceptable items included in the message |
US20090007251A1 (en) * | 2007-06-26 | 2009-01-01 | Microsoft Corporation | Host firewall integration with edge traversal technology |
US7539726B1 (en) * | 2002-07-16 | 2009-05-26 | Sonicwall, Inc. | Message testing |
US7675868B2 (en) | 2000-10-17 | 2010-03-09 | Avaya Inc. | Method and apparatus for coordinating routing parameters via a back-channel communication medium |
WO2010031084A1 (en) | 2008-09-12 | 2010-03-18 | 3Com Corporation | Distributed packet flow inspection and processing |
US20100128729A1 (en) * | 2005-08-26 | 2010-05-27 | Alaxala Networks Corporation | Packet forwarding device with packet filter |
US20100138909A1 (en) * | 2002-09-06 | 2010-06-03 | O2Micro, Inc. | Vpn and firewall integrated system |
US20100157158A1 (en) * | 2008-12-22 | 2010-06-24 | Ching-Chieh Wang | Signal processing apparatuses capable of processing initially reproduced packets prior to buffering the initially reproduced packets |
US20100246592A1 (en) * | 2009-03-31 | 2010-09-30 | Inventec Corporation | Load balancing method for network intrusion detection |
US7840704B2 (en) | 2000-10-17 | 2010-11-23 | Avaya Inc. | Method and apparatus for performance and cost optimization in an internetwork |
US7908330B2 (en) | 2003-03-11 | 2011-03-15 | Sonicwall, Inc. | Message auditing |
US20110099631A1 (en) * | 2009-10-28 | 2011-04-28 | Willebeek-Lemair Marc | Distributed Packet Flow Inspection and Processing |
US20120036580A1 (en) * | 2010-07-19 | 2012-02-09 | Sitelock, Llc | Selective website vulnerability and infection testing |
US8396926B1 (en) | 2002-07-16 | 2013-03-12 | Sonicwall, Inc. | Message challenge response |
US8407789B1 (en) * | 2009-11-16 | 2013-03-26 | Symantec Corporation | Method and system for dynamically optimizing multiple filter/stage security systems |
US8413124B2 (en) | 2007-07-30 | 2013-04-02 | Huawei Technologies Co., Ltd. | System and method for compiling and matching regular expressions |
WO2015010824A1 (en) * | 2013-07-25 | 2015-01-29 | Siemens Aktiengesellschaft | Monitoring the functionality of a network filtering device |
US9088508B1 (en) * | 2014-04-11 | 2015-07-21 | Level 3 Communications, Llc | Incremental application of resources to network traffic flows based on heuristics and business policies |
CN105376167A (en) * | 2009-10-28 | 2016-03-02 | 惠普公司 | Distributed packet stream inspection and processing |
US20160359915A1 (en) * | 2015-06-05 | 2016-12-08 | Cisco Technology, Inc. | Policy-driven compliance |
JP2017073765A (en) * | 2015-10-09 | 2017-04-13 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America | Security device, aggression detection method and program |
US20170180401A1 (en) * | 2015-12-18 | 2017-06-22 | F-Secure Corporation | Protection Against Malicious Attacks |
US9967158B2 (en) | 2015-06-05 | 2018-05-08 | Cisco Technology, Inc. | Interactive hierarchical network chord diagram for application dependency mapping |
US9979615B2 (en) | 2015-06-05 | 2018-05-22 | Cisco Technology, Inc. | Techniques for determining network topologies |
US10089099B2 (en) | 2015-06-05 | 2018-10-02 | Cisco Technology, Inc. | Automatic software upgrade |
US10116559B2 (en) | 2015-05-27 | 2018-10-30 | Cisco Technology, Inc. | Operations, administration and management (OAM) in overlay data center environments |
US20180322203A1 (en) * | 2017-05-03 | 2018-11-08 | Uber Technologies, Inc. | Optimizing listing efficiency and efficacy for a delivery coordination system |
US10142353B2 (en) | 2015-06-05 | 2018-11-27 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
US10171357B2 (en) | 2016-05-27 | 2019-01-01 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
US10177977B1 (en) | 2013-02-13 | 2019-01-08 | Cisco Technology, Inc. | Deployment and upgrade of network devices in a network environment |
US10250446B2 (en) | 2017-03-27 | 2019-04-02 | Cisco Technology, Inc. | Distributed policy store |
US10289438B2 (en) | 2016-06-16 | 2019-05-14 | Cisco Technology, Inc. | Techniques for coordination of application components deployed on distributed virtual machines |
US10374904B2 (en) | 2015-05-15 | 2019-08-06 | Cisco Technology, Inc. | Diagnostic network visualization |
US10523541B2 (en) | 2017-10-25 | 2019-12-31 | Cisco Technology, Inc. | Federated network and application data analytics platform |
US10523512B2 (en) | 2017-03-24 | 2019-12-31 | Cisco Technology, Inc. | Network agent for generating platform specific network policies |
US10554501B2 (en) | 2017-10-23 | 2020-02-04 | Cisco Technology, Inc. | Network migration assistant |
US10574575B2 (en) | 2018-01-25 | 2020-02-25 | Cisco Technology, Inc. | Network flow stitching using middle box flow stitching |
US10594560B2 (en) | 2017-03-27 | 2020-03-17 | Cisco Technology, Inc. | Intent driven network policy platform |
US10594542B2 (en) | 2017-10-27 | 2020-03-17 | Cisco Technology, Inc. | System and method for network root cause analysis |
US10680887B2 (en) | 2017-07-21 | 2020-06-09 | Cisco Technology, Inc. | Remote device status audit and recovery |
US10708152B2 (en) | 2017-03-23 | 2020-07-07 | Cisco Technology, Inc. | Predicting application and network performance |
US10708183B2 (en) | 2016-07-21 | 2020-07-07 | Cisco Technology, Inc. | System and method of providing segment routing as a service |
US10764141B2 (en) | 2017-03-27 | 2020-09-01 | Cisco Technology, Inc. | Network agent for reporting to a network policy system |
US10798015B2 (en) | 2018-01-25 | 2020-10-06 | Cisco Technology, Inc. | Discovery of middleboxes using traffic flow stitching |
US10826803B2 (en) | 2018-01-25 | 2020-11-03 | Cisco Technology, Inc. | Mechanism for facilitating efficient policy updates |
US10873794B2 (en) | 2017-03-28 | 2020-12-22 | Cisco Technology, Inc. | Flowlet resolution for application performance monitoring and management |
US10873593B2 (en) | 2018-01-25 | 2020-12-22 | Cisco Technology, Inc. | Mechanism for identifying differences between network snapshots |
US10878110B2 (en) | 2017-09-12 | 2020-12-29 | Sophos Limited | Dashboard for managing enterprise network traffic |
US10917438B2 (en) | 2018-01-25 | 2021-02-09 | Cisco Technology, Inc. | Secure publishing for policy updates |
US10931629B2 (en) | 2016-05-27 | 2021-02-23 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
US10972388B2 (en) | 2016-11-22 | 2021-04-06 | Cisco Technology, Inc. | Federated microburst detection |
US10979459B2 (en) | 2006-09-13 | 2021-04-13 | Sophos Limited | Policy management |
US10999149B2 (en) | 2018-01-25 | 2021-05-04 | Cisco Technology, Inc. | Automatic configuration discovery based on traffic flow data |
US11012459B2 (en) * | 2015-04-17 | 2021-05-18 | Centripetal Networks, Inc. | Rule-based network-threat detection |
US11128700B2 (en) | 2018-01-26 | 2021-09-21 | Cisco Technology, Inc. | Load balancing configuration based on traffic flow telemetry |
US11233821B2 (en) | 2018-01-04 | 2022-01-25 | Cisco Technology, Inc. | Network intrusion counter-intelligence |
EP3923519A4 (en) * | 2019-02-08 | 2022-07-27 | Panasonic Intellectual Property Corporation of America | Abnormality determination method, abnormality determination device, and program |
US11765046B1 (en) | 2018-01-11 | 2023-09-19 | Cisco Technology, Inc. | Endpoint cluster assignment and query generation |
Families Citing this family (43)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7737134B2 (en) * | 2002-03-13 | 2010-06-15 | The Texas A & M University System | Anticancer agents and use |
US7496662B1 (en) | 2003-05-12 | 2009-02-24 | Sourcefire, Inc. | Systems and methods for determining characteristics of a network and assessing confidence |
US7817721B2 (en) * | 2003-05-15 | 2010-10-19 | Lsi Corporation | Posting status data in digital transport stream processing |
US8543710B2 (en) * | 2004-03-10 | 2013-09-24 | Rpx Corporation | Method and system for controlling network access |
US7539681B2 (en) | 2004-07-26 | 2009-05-26 | Sourcefire, Inc. | Methods and systems for multi-pattern searching |
US7496962B2 (en) * | 2004-07-29 | 2009-02-24 | Sourcefire, Inc. | Intrusion detection strategies for hypertext transport protocol |
US8199754B2 (en) * | 2006-05-30 | 2012-06-12 | Hewlett-Packard Development Company, L. P. | Intrusion prevention system edge controller |
US8046833B2 (en) * | 2005-11-14 | 2011-10-25 | Sourcefire, Inc. | Intrusion event correlation with network discovery information |
US7733803B2 (en) * | 2005-11-14 | 2010-06-08 | Sourcefire, Inc. | Systems and methods for modifying network map attributes |
KR100714109B1 (en) * | 2005-12-01 | 2007-05-02 | 한국전자통신연구원 | Apparatus for generation of intrusion alert data and method thereof |
US7948988B2 (en) * | 2006-07-27 | 2011-05-24 | Sourcefire, Inc. | Device, system and method for analysis of fragments in a fragment train |
US7701945B2 (en) | 2006-08-10 | 2010-04-20 | Sourcefire, Inc. | Device, system and method for analysis of segments in a transmission control protocol (TCP) session |
CA2672908A1 (en) * | 2006-10-06 | 2008-04-17 | Sourcefire, Inc. | Device, system and method for use of micro-policies in intrusion detection/prevention |
US7672336B2 (en) * | 2006-12-01 | 2010-03-02 | Sonus Networks, Inc. | Filtering and policing for defending against denial of service attacks on a network |
US7804774B2 (en) * | 2006-12-01 | 2010-09-28 | Sonus Networks, Inc. | Scalable filtering and policing mechanism for protecting user traffic in a network |
US7940657B2 (en) * | 2006-12-01 | 2011-05-10 | Sonus Networks, Inc. | Identifying attackers on a network |
US8069352B2 (en) | 2007-02-28 | 2011-11-29 | Sourcefire, Inc. | Device, system and method for timestamp analysis of segments in a transmission control protocol (TCP) session |
EP2156290B1 (en) * | 2007-04-30 | 2020-03-25 | Cisco Technology, Inc. | Real-time awareness for a computer network |
US8417562B1 (en) | 2007-06-15 | 2013-04-09 | Amazon Technologies, Inc. | Generating a score of a consumer correction submission |
US8688508B1 (en) | 2007-06-15 | 2014-04-01 | Amazon Technologies, Inc. | System and method for evaluating correction submissions with supporting evidence |
US7853689B2 (en) * | 2007-06-15 | 2010-12-14 | Broadcom Corporation | Multi-stage deep packet inspection for lightweight devices |
US8474043B2 (en) * | 2008-04-17 | 2013-06-25 | Sourcefire, Inc. | Speed and memory optimization of intrusion detection system (IDS) and intrusion prevention system (IPS) rule processing |
WO2010045089A1 (en) | 2008-10-08 | 2010-04-22 | Sourcefire, Inc. | Target-based smb and dce/rpc processing for an intrusion detection system or intrusion prevention system |
US9390133B2 (en) * | 2009-03-25 | 2016-07-12 | The Quantum Group, Inc. | Method and system for regulating entry of data into a protected system |
WO2011130510A1 (en) | 2010-04-16 | 2011-10-20 | Sourcefire, Inc. | System and method for near-real time network attack detection, and system and method for unified detection via detection routing |
US8433790B2 (en) | 2010-06-11 | 2013-04-30 | Sourcefire, Inc. | System and method for assigning network blocks to sensors |
US8671182B2 (en) | 2010-06-22 | 2014-03-11 | Sourcefire, Inc. | System and method for resolving operating system or service identity conflicts |
KR20120058200A (en) * | 2010-11-29 | 2012-06-07 | 한국전자통신연구원 | System and method of Traffic controling for performing step-by-step traffic control policy |
US8601034B2 (en) | 2011-03-11 | 2013-12-03 | Sourcefire, Inc. | System and method for real time data awareness |
US8938796B2 (en) | 2012-09-20 | 2015-01-20 | Paul Case, SR. | Case secure computer architecture |
CN103096127B (en) * | 2012-12-28 | 2014-07-16 | 中央电视台 | Broadcast monitoring information selecting and filtering method |
US8850467B1 (en) | 2013-03-15 | 2014-09-30 | International Business Machines Corporation | System and method for monitoring video performance |
US9326041B2 (en) | 2013-09-17 | 2016-04-26 | International Business Machines Corporation | Managing quality of experience for media transmissions |
US9819953B2 (en) | 2013-12-31 | 2017-11-14 | International Business Machines Corporation | Decoding media streams within thresholds |
CN103873463A (en) * | 2014-02-26 | 2014-06-18 | 北京优炫软件股份有限公司 | Multistage filter firewall system and multistage filter method |
US10102195B2 (en) | 2014-06-25 | 2018-10-16 | Amazon Technologies, Inc. | Attribute fill using text extraction |
CN105594219B (en) * | 2014-07-31 | 2019-08-20 | Lg 电子株式会社 | Transmitting/reception processing device and method for broadcast singal |
US10438264B1 (en) | 2016-08-31 | 2019-10-08 | Amazon Technologies, Inc. | Artificial intelligence feature extraction service for products |
US11971988B2 (en) * | 2018-12-07 | 2024-04-30 | Arris Enterprises Llc | Detection of suspicious objects in customer premises equipment (CPE) |
EP4256793A1 (en) * | 2020-12-01 | 2023-10-11 | Arris Enterprises, Llc | Partial video async support using r-macphy device |
EP4285518A1 (en) * | 2021-02-01 | 2023-12-06 | Arris Enterprises, Llc | Adaptive video slew rate for video delivery |
WO2022235490A1 (en) * | 2021-05-03 | 2022-11-10 | Arris Enterprises Llc | System for channel map delivery for hi split cable networks |
US11700402B1 (en) * | 2022-03-25 | 2023-07-11 | Nvidia Corporation | Dynamically reducing stutter and latency in video streaming applications |
Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5848233A (en) * | 1996-12-09 | 1998-12-08 | Sun Microsystems, Inc. | Method and apparatus for dynamic packet filter assignment |
US5898830A (en) * | 1996-10-17 | 1999-04-27 | Network Engineering Software | Firewall providing enhanced network security and user transparency |
US6072942A (en) * | 1996-09-18 | 2000-06-06 | Secure Computing Corporation | System and method of electronic mail filtering using interconnected nodes |
US6154775A (en) * | 1997-09-12 | 2000-11-28 | Lucent Technologies Inc. | Methods and apparatus for a computer network firewall with dynamic rule processing with the ability to dynamically alter the operations of rules |
US6230271B1 (en) * | 1998-01-20 | 2001-05-08 | Pilot Network Services, Inc. | Dynamic policy-based apparatus for wide-range configurable network service authentication and access control using a fixed-path hardware configuration |
US6243815B1 (en) * | 1997-04-25 | 2001-06-05 | Anand K. Antur | Method and apparatus for reconfiguring and managing firewalls and security devices |
US6272136B1 (en) * | 1998-11-16 | 2001-08-07 | Sun Microsystems, Incorporated | Pseudo-interface between control and switching modules of a data packet switching and load balancing system |
US6434618B1 (en) * | 1998-11-12 | 2002-08-13 | Lucent Technologies Inc. | Programmable network element for packet-switched computer network |
US6539394B1 (en) * | 2000-01-04 | 2003-03-25 | International Business Machines Corporation | Method and system for performing interval-based testing of filter rules |
US6546423B1 (en) * | 1998-10-22 | 2003-04-08 | At&T Corp. | System and method for network load balancing |
US6691168B1 (en) * | 1998-12-31 | 2004-02-10 | Pmc-Sierra | Method and apparatus for high-speed network rule processing |
US6728885B1 (en) * | 1998-10-09 | 2004-04-27 | Networks Associates Technology, Inc. | System and method for network access control using adaptive proxies |
US6772348B1 (en) * | 2000-04-27 | 2004-08-03 | Microsoft Corporation | Method and system for retrieving security information for secured transmission of network communication streams |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6141749A (en) * | 1997-09-12 | 2000-10-31 | Lucent Technologies Inc. | Methods and apparatus for a computer network firewall with stateful packet filtering |
US6448434B1 (en) | 1999-07-29 | 2002-09-10 | Monsanto Technology Llc | Process for making ammonium glyphosate powder |
US6496935B1 (en) * | 2000-03-02 | 2002-12-17 | Check Point Software Technologies Ltd | System, device and method for rapid packet filtering and processing |
US6519703B1 (en) * | 2000-04-14 | 2003-02-11 | James B. Joyce | Methods and apparatus for heuristic firewall |
US7032031B2 (en) * | 2000-06-23 | 2006-04-18 | Cloudshield Technologies, Inc. | Edge adapter apparatus and method |
CN1349176A (en) * | 2001-12-03 | 2002-05-15 | 上海交通大学 | Content safety monitoring system for outer bolletion board system |
-
2002
- 2002-08-12 US US10/217,862 patent/US6983323B2/en not_active Expired - Lifetime
-
2003
- 2003-08-11 DE DE60336240T patent/DE60336240D1/en not_active Expired - Lifetime
- 2003-08-11 CN CNB038241102A patent/CN100445980C/en not_active Expired - Fee Related
- 2003-08-11 EP EP03785167A patent/EP1540502B1/en not_active Expired - Lifetime
- 2003-08-11 AT AT03785167T patent/ATE500675T1/en not_active IP Right Cessation
- 2003-08-11 WO PCT/US2003/025070 patent/WO2004015586A1/en not_active Application Discontinuation
- 2003-08-11 AU AU2003265399A patent/AU2003265399A1/en not_active Abandoned
Patent Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6072942A (en) * | 1996-09-18 | 2000-06-06 | Secure Computing Corporation | System and method of electronic mail filtering using interconnected nodes |
US5898830A (en) * | 1996-10-17 | 1999-04-27 | Network Engineering Software | Firewall providing enhanced network security and user transparency |
US5848233A (en) * | 1996-12-09 | 1998-12-08 | Sun Microsystems, Inc. | Method and apparatus for dynamic packet filter assignment |
US6243815B1 (en) * | 1997-04-25 | 2001-06-05 | Anand K. Antur | Method and apparatus for reconfiguring and managing firewalls and security devices |
US6154775A (en) * | 1997-09-12 | 2000-11-28 | Lucent Technologies Inc. | Methods and apparatus for a computer network firewall with dynamic rule processing with the ability to dynamically alter the operations of rules |
US6230271B1 (en) * | 1998-01-20 | 2001-05-08 | Pilot Network Services, Inc. | Dynamic policy-based apparatus for wide-range configurable network service authentication and access control using a fixed-path hardware configuration |
US6728885B1 (en) * | 1998-10-09 | 2004-04-27 | Networks Associates Technology, Inc. | System and method for network access control using adaptive proxies |
US6546423B1 (en) * | 1998-10-22 | 2003-04-08 | At&T Corp. | System and method for network load balancing |
US6434618B1 (en) * | 1998-11-12 | 2002-08-13 | Lucent Technologies Inc. | Programmable network element for packet-switched computer network |
US6272136B1 (en) * | 1998-11-16 | 2001-08-07 | Sun Microsystems, Incorporated | Pseudo-interface between control and switching modules of a data packet switching and load balancing system |
US6691168B1 (en) * | 1998-12-31 | 2004-02-10 | Pmc-Sierra | Method and apparatus for high-speed network rule processing |
US6539394B1 (en) * | 2000-01-04 | 2003-03-25 | International Business Machines Corporation | Method and system for performing interval-based testing of filter rules |
US6772348B1 (en) * | 2000-04-27 | 2004-08-03 | Microsoft Corporation | Method and system for retrieving security information for secured transmission of network communication streams |
Cited By (233)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070115840A1 (en) * | 2000-10-17 | 2007-05-24 | Feick Wayne A | Method and apparatus for communicating data within measurement traffic |
US20030039212A1 (en) * | 2000-10-17 | 2003-02-27 | Lloyd Michael A. | Method and apparatus for the assessment and optimization of network traffic |
US20030161321A1 (en) * | 2000-10-17 | 2003-08-28 | Karam Mansour J. | Method and apparatus for characterizing the quality of a network path |
US7675868B2 (en) | 2000-10-17 | 2010-03-09 | Avaya Inc. | Method and apparatus for coordinating routing parameters via a back-channel communication medium |
US20020078223A1 (en) * | 2000-10-17 | 2002-06-20 | Baldonado Omar C. | Method and apparatus for performance and cost optimization in an internetwork |
US20040205098A1 (en) * | 2000-10-17 | 2004-10-14 | Lloyd Michael A. | Load optimization |
US7720959B2 (en) | 2000-10-17 | 2010-05-18 | Avaya Inc. | Method and apparatus for characterizing the quality of a network path |
US7756032B2 (en) | 2000-10-17 | 2010-07-13 | Avaya Inc. | Method and apparatus for communicating data within measurement traffic |
US7773536B2 (en) | 2000-10-17 | 2010-08-10 | Avaya Inc. | Method and apparatus for the assessment and optimization of network traffic |
US7840704B2 (en) | 2000-10-17 | 2010-11-23 | Avaya Inc. | Method and apparatus for performance and cost optimization in an internetwork |
US20030120935A1 (en) * | 2001-12-20 | 2003-06-26 | Coretrace Corporation | Kernel-based network security infrastructure |
US7398389B2 (en) | 2001-12-20 | 2008-07-08 | Coretrace Corporation | Kernel-based network security infrastructure |
US9674126B2 (en) | 2002-07-16 | 2017-06-06 | Sonicwall Inc. | Efficient use of resources in message classification |
US9503406B2 (en) | 2002-07-16 | 2016-11-22 | Dell Software Inc. | Active e-mail filter with challenge-response |
US8732256B2 (en) | 2002-07-16 | 2014-05-20 | Sonicwall, Inc. | Message challenge response |
US8396926B1 (en) | 2002-07-16 | 2013-03-12 | Sonicwall, Inc. | Message challenge response |
US8296382B2 (en) | 2002-07-16 | 2012-10-23 | Sonicwall, Inc. | Efficient use of resources in message classification |
US20040015554A1 (en) * | 2002-07-16 | 2004-01-22 | Brian Wilson | Active e-mail filter with challenge-response |
US8990312B2 (en) | 2002-07-16 | 2015-03-24 | Sonicwall, Inc. | Active e-mail filter with challenge-response |
US7539726B1 (en) * | 2002-07-16 | 2009-05-26 | Sonicwall, Inc. | Message testing |
US7921204B2 (en) | 2002-07-16 | 2011-04-05 | Sonicwall, Inc. | Message testing based on a determinate message classification and minimized resource consumption |
US9021039B2 (en) | 2002-07-16 | 2015-04-28 | Sonicwall, Inc. | Message challenge response |
US9215198B2 (en) | 2002-07-16 | 2015-12-15 | Dell Software Inc. | Efficient use of resources in message classification |
US9313158B2 (en) | 2002-07-16 | 2016-04-12 | Dell Software Inc. | Message challenge response |
US20080168145A1 (en) * | 2002-07-16 | 2008-07-10 | Brian Wilson | Active E-mail Filter with Challenge-Response |
US8924484B2 (en) | 2002-07-16 | 2014-12-30 | Sonicwall, Inc. | Active e-mail filter with challenge-response |
US8023421B2 (en) | 2002-07-25 | 2011-09-20 | Avaya Inc. | Method and apparatus for the assessment and optimization of network traffic |
US20070064715A1 (en) * | 2002-07-25 | 2007-03-22 | Avaya, Inc. | Method and apparatus for the assessment and optimization of network traffic |
US20100138909A1 (en) * | 2002-09-06 | 2010-06-03 | O2Micro, Inc. | Vpn and firewall integrated system |
US9524334B2 (en) | 2003-02-20 | 2016-12-20 | Dell Software Inc. | Using distinguishing properties to classify messages |
US8935348B2 (en) | 2003-02-20 | 2015-01-13 | Sonicwall, Inc. | Message classification using legitimate contact points |
US8688794B2 (en) | 2003-02-20 | 2014-04-01 | Sonicwall, Inc. | Signature generation using message summaries |
US7562122B2 (en) | 2003-02-20 | 2009-07-14 | Sonicwall, Inc. | Message classification using allowed items |
US8463861B2 (en) | 2003-02-20 | 2013-06-11 | Sonicwall, Inc. | Message classification using legitimate contact points |
US20040167968A1 (en) * | 2003-02-20 | 2004-08-26 | Mailfrontier, Inc. | Using distinguishing properties to classify messages |
US10042919B2 (en) | 2003-02-20 | 2018-08-07 | Sonicwall Inc. | Using distinguishing properties to classify messages |
US7406502B1 (en) | 2003-02-20 | 2008-07-29 | Sonicwall, Inc. | Method and system for classifying a message based on canonical equivalent of acceptable items included in the message |
US20060235934A1 (en) * | 2003-02-20 | 2006-10-19 | Mailfrontier, Inc. | Diminishing false positive classifications of unsolicited electronic-mail |
US9189516B2 (en) | 2003-02-20 | 2015-11-17 | Dell Software Inc. | Using distinguishing properties to classify messages |
US10027611B2 (en) | 2003-02-20 | 2018-07-17 | Sonicwall Inc. | Method and apparatus for classifying electronic messages |
US10785176B2 (en) | 2003-02-20 | 2020-09-22 | Sonicwall Inc. | Method and apparatus for classifying electronic messages |
US20080021969A1 (en) * | 2003-02-20 | 2008-01-24 | Sonicwall, Inc. | Signature generation using message summaries |
US8271603B2 (en) | 2003-02-20 | 2012-09-18 | Sonicwall, Inc. | Diminishing false positive classifications of unsolicited electronic-mail |
US8266215B2 (en) | 2003-02-20 | 2012-09-11 | Sonicwall, Inc. | Using distinguishing properties to classify messages |
US8112486B2 (en) | 2003-02-20 | 2012-02-07 | Sonicwall, Inc. | Signature generation using message summaries |
US9325649B2 (en) | 2003-02-20 | 2016-04-26 | Dell Software Inc. | Signature generation using message summaries |
US7882189B2 (en) | 2003-02-20 | 2011-02-01 | Sonicwall, Inc. | Using distinguishing properties to classify messages |
US8108477B2 (en) | 2003-02-20 | 2012-01-31 | Sonicwall, Inc. | Message classification using legitimate contact points |
US8484301B2 (en) | 2003-02-20 | 2013-07-09 | Sonicwall, Inc. | Using distinguishing properties to classify messages |
US7908330B2 (en) | 2003-03-11 | 2011-03-15 | Sonicwall, Inc. | Message auditing |
US7974284B2 (en) * | 2003-06-27 | 2011-07-05 | Broadcom Corporation | Single and double tagging schemes for packet processing in a network device |
US20050008009A1 (en) * | 2003-06-27 | 2005-01-13 | Broadcom Corporation | Single and double tagging schemes for packet processing in a network device |
US20050192001A1 (en) * | 2004-02-26 | 2005-09-01 | Isaac Samuel | Controlling processor load in a wireless telecommunications network node |
US7236795B2 (en) * | 2004-02-26 | 2007-06-26 | Lucent Technologies Inc. | Controlling processor load in a wireless telecommunications network node |
US8051481B2 (en) | 2004-09-09 | 2011-11-01 | Avaya Inc. | Methods and systems for network traffic security |
US7596811B2 (en) * | 2004-09-09 | 2009-09-29 | Avaya Inc. | Methods and systems for network traffic security |
US7818805B2 (en) | 2004-09-09 | 2010-10-19 | Avaya Inc. | Methods and systems for network traffic security |
US20060092841A1 (en) * | 2004-09-09 | 2006-05-04 | Avaya Inc. | Methods and systems for network traffic security |
US20060072543A1 (en) * | 2004-09-09 | 2006-04-06 | Lloyd Michael A | Methods of and systems for remote outbound control |
US20090031420A1 (en) * | 2004-09-09 | 2009-01-29 | Lloyd Michael A | Methods and systems for network traffic security |
US20060112430A1 (en) * | 2004-11-19 | 2006-05-25 | Deisenroth Jerrold M | Method and apparatus for immunizing data in computer systems from corruption |
US20060174343A1 (en) * | 2004-11-30 | 2006-08-03 | Sensory Networks, Inc. | Apparatus and method for acceleration of security applications through pre-filtering |
US20070039051A1 (en) * | 2004-11-30 | 2007-02-15 | Sensory Networks, Inc. | Apparatus And Method For Acceleration of Security Applications Through Pre-Filtering |
US20060182124A1 (en) * | 2005-02-15 | 2006-08-17 | Sytex, Inc. | Cipher Key Exchange Methodology |
US20060288217A1 (en) * | 2005-06-01 | 2006-12-21 | Jennings James S | System and method for generating feature-based models of software and content for automatic recognition |
US7725727B2 (en) * | 2005-06-01 | 2010-05-25 | International Business Machines Corporation | Automatic signature generation for content recognition |
US20100128729A1 (en) * | 2005-08-26 | 2010-05-27 | Alaxala Networks Corporation | Packet forwarding device with packet filter |
US7894441B2 (en) * | 2005-08-26 | 2011-02-22 | Alaxala Networks Corporation | Packet forwarding device with packet filter |
US20070153689A1 (en) * | 2006-01-03 | 2007-07-05 | Alcatel | Method and apparatus for monitoring malicious traffic in communication networks |
US9794272B2 (en) * | 2006-01-03 | 2017-10-17 | Alcatel Lucent | Method and apparatus for monitoring malicious traffic in communication networks |
TWI399059B (en) * | 2006-05-05 | 2013-06-11 | Broadcom Corp | Switching network employing adware quarantine techniques |
US20070258437A1 (en) * | 2006-05-05 | 2007-11-08 | Broadcom Corporation, A California Corporation | Switching network employing server quarantine functionality |
US20070258469A1 (en) * | 2006-05-05 | 2007-11-08 | Broadcom Corporation, A California Corporation | Switching network employing adware quarantine techniques |
US10979459B2 (en) | 2006-09-13 | 2021-04-13 | Sophos Limited | Policy management |
US20080120413A1 (en) * | 2006-11-16 | 2008-05-22 | Comcast Cable Holdings, Lcc | Process for abuse mitigation |
WO2008061171A3 (en) * | 2006-11-16 | 2008-10-09 | Comcast Cable Holdings Llc | Process for abuse mitigation |
US11120406B2 (en) * | 2006-11-16 | 2021-09-14 | Comcast Cable Communications, Llc | Process for abuse mitigation |
US20090007251A1 (en) * | 2007-06-26 | 2009-01-01 | Microsoft Corporation | Host firewall integration with edge traversal technology |
US8370919B2 (en) * | 2007-06-26 | 2013-02-05 | Microsoft Corporation | Host firewall integration with edge traversal technology |
US8413124B2 (en) | 2007-07-30 | 2013-04-02 | Huawei Technologies Co., Ltd. | System and method for compiling and matching regular expressions |
CN102217248A (en) * | 2008-09-12 | 2011-10-12 | 惠普公司 | Distributed packet flow inspection and processing |
WO2010031084A1 (en) | 2008-09-12 | 2010-03-18 | 3Com Corporation | Distributed packet flow inspection and processing |
US20100157158A1 (en) * | 2008-12-22 | 2010-06-24 | Ching-Chieh Wang | Signal processing apparatuses capable of processing initially reproduced packets prior to buffering the initially reproduced packets |
TWI387269B (en) * | 2008-12-22 | 2013-02-21 | Mediatek Inc | Packet processing apparatus and packet processing method |
US8910233B2 (en) | 2008-12-22 | 2014-12-09 | Mediatek Inc. | Signal processing apparatuses capable of processing initially reproduced packets prior to buffering the initially reproduced packets |
US8902893B2 (en) | 2008-12-22 | 2014-12-02 | Mediatek Inc. | Packet processing apparatus and method capable of generating modified packets by modifying payloads of specific packets identified from received packets |
US20100246592A1 (en) * | 2009-03-31 | 2010-09-30 | Inventec Corporation | Load balancing method for network intrusion detection |
CN105376167A (en) * | 2009-10-28 | 2016-03-02 | 惠普公司 | Distributed packet stream inspection and processing |
US20110099631A1 (en) * | 2009-10-28 | 2011-04-28 | Willebeek-Lemair Marc | Distributed Packet Flow Inspection and Processing |
US8782787B2 (en) * | 2009-10-28 | 2014-07-15 | Hewlett-Packard Development Company, L.P. | Distributed packet flow inspection and processing |
US8407789B1 (en) * | 2009-11-16 | 2013-03-26 | Symantec Corporation | Method and system for dynamically optimizing multiple filter/stage security systems |
US20120036580A1 (en) * | 2010-07-19 | 2012-02-09 | Sitelock, Llc | Selective website vulnerability and infection testing |
US9246932B2 (en) * | 2010-07-19 | 2016-01-26 | Sitelock, Llc | Selective website vulnerability and infection testing |
US9900337B2 (en) | 2010-07-19 | 2018-02-20 | Sitelock, Llc | Selective website vulnerability and infection testing |
US10177977B1 (en) | 2013-02-13 | 2019-01-08 | Cisco Technology, Inc. | Deployment and upgrade of network devices in a network environment |
WO2015010824A1 (en) * | 2013-07-25 | 2015-01-29 | Siemens Aktiengesellschaft | Monitoring the functionality of a network filtering device |
US9825868B2 (en) | 2014-04-11 | 2017-11-21 | Level 3 Communications, Llc | Incremental application of resources to network traffic flows based on heuristics and business policies |
US9088508B1 (en) * | 2014-04-11 | 2015-07-21 | Level 3 Communications, Llc | Incremental application of resources to network traffic flows based on heuristics and business policies |
US9473456B2 (en) | 2014-04-11 | 2016-10-18 | Level 3 Communications, Llc | Incremental application of resources to network traffic flows based on heuristics and business policies |
US10291534B2 (en) * | 2014-04-11 | 2019-05-14 | Level 3 Communications, Llc | Incremental application of resources to network traffic flows based on heuristics and business policies |
US11792220B2 (en) | 2015-04-17 | 2023-10-17 | Centripetal Networks, Llc | Rule-based network-threat detection |
US11496500B2 (en) | 2015-04-17 | 2022-11-08 | Centripetal Networks, Inc. | Rule-based network-threat detection |
US11700273B2 (en) | 2015-04-17 | 2023-07-11 | Centripetal Networks, Llc | Rule-based network-threat detection |
US11516241B2 (en) | 2015-04-17 | 2022-11-29 | Centripetal Networks, Inc. | Rule-based network-threat detection |
US11012459B2 (en) * | 2015-04-17 | 2021-05-18 | Centripetal Networks, Inc. | Rule-based network-threat detection |
US10374904B2 (en) | 2015-05-15 | 2019-08-06 | Cisco Technology, Inc. | Diagnostic network visualization |
US10116559B2 (en) | 2015-05-27 | 2018-10-30 | Cisco Technology, Inc. | Operations, administration and management (OAM) in overlay data center environments |
US11968102B2 (en) | 2015-06-05 | 2024-04-23 | Cisco Technology, Inc. | System and method of detecting packet loss in a distributed sensor-collector architecture |
US10033766B2 (en) * | 2015-06-05 | 2018-07-24 | Cisco Technology, Inc. | Policy-driven compliance |
US10171319B2 (en) | 2015-06-05 | 2019-01-01 | Cisco Technology, Inc. | Technologies for annotating process and user information for network flows |
US10177998B2 (en) | 2015-06-05 | 2019-01-08 | Cisco Technology, Inc. | Augmenting flow data for improved network monitoring and management |
US10129117B2 (en) | 2015-06-05 | 2018-11-13 | Cisco Technology, Inc. | Conditional policies |
US10181987B2 (en) | 2015-06-05 | 2019-01-15 | Cisco Technology, Inc. | High availability of collectors of traffic reported by network sensors |
US10230597B2 (en) | 2015-06-05 | 2019-03-12 | Cisco Technology, Inc. | Optimizations for application dependency mapping |
US10243817B2 (en) | 2015-06-05 | 2019-03-26 | Cisco Technology, Inc. | System and method of assigning reputation scores to hosts |
US11968103B2 (en) | 2015-06-05 | 2024-04-23 | Cisco Technology, Inc. | Policy utilization analysis |
US10116530B2 (en) | 2015-06-05 | 2018-10-30 | Cisco Technology, Inc. | Technologies for determining sensor deployment characteristics |
US10116531B2 (en) | 2015-06-05 | 2018-10-30 | Cisco Technology, Inc | Round trip time (RTT) measurement based upon sequence number |
US10305757B2 (en) | 2015-06-05 | 2019-05-28 | Cisco Technology, Inc. | Determining a reputation of a network entity |
US10320630B2 (en) | 2015-06-05 | 2019-06-11 | Cisco Technology, Inc. | Hierarchichal sharding of flows from sensors to collectors |
US10326672B2 (en) | 2015-06-05 | 2019-06-18 | Cisco Technology, Inc. | MDL-based clustering for application dependency mapping |
US10326673B2 (en) | 2015-06-05 | 2019-06-18 | Cisco Technology, Inc. | Techniques for determining network topologies |
US10089099B2 (en) | 2015-06-05 | 2018-10-02 | Cisco Technology, Inc. | Automatic software upgrade |
US10439904B2 (en) | 2015-06-05 | 2019-10-08 | Cisco Technology, Inc. | System and method of determining malicious processes |
US10454793B2 (en) | 2015-06-05 | 2019-10-22 | Cisco Technology, Inc. | System and method of detecting whether a source of a packet flow transmits packets which bypass an operating system stack |
US10505827B2 (en) | 2015-06-05 | 2019-12-10 | Cisco Technology, Inc. | Creating classifiers for servers and clients in a network |
US10505828B2 (en) | 2015-06-05 | 2019-12-10 | Cisco Technology, Inc. | Technologies for managing compromised sensors in virtualized environments |
US10516585B2 (en) | 2015-06-05 | 2019-12-24 | Cisco Technology, Inc. | System and method for network information mapping and displaying |
US10516586B2 (en) | 2015-06-05 | 2019-12-24 | Cisco Technology, Inc. | Identifying bogon address spaces |
US11936663B2 (en) | 2015-06-05 | 2024-03-19 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
US11924072B2 (en) | 2015-06-05 | 2024-03-05 | Cisco Technology, Inc. | Technologies for annotating process and user information for network flows |
US10536357B2 (en) | 2015-06-05 | 2020-01-14 | Cisco Technology, Inc. | Late data detection in data center |
US11924073B2 (en) | 2015-06-05 | 2024-03-05 | Cisco Technology, Inc. | System and method of assigning reputation scores to hosts |
US10567247B2 (en) | 2015-06-05 | 2020-02-18 | Cisco Technology, Inc. | Intra-datacenter attack detection |
US11902122B2 (en) | 2015-06-05 | 2024-02-13 | Cisco Technology, Inc. | Application monitoring prioritization |
US11902121B2 (en) | 2015-06-05 | 2024-02-13 | Cisco Technology, Inc. | System and method of detecting whether a source of a packet flow transmits packets which bypass an operating system stack |
US11902120B2 (en) | 2015-06-05 | 2024-02-13 | Cisco Technology, Inc. | Synthetic data for determining health of a network security system |
US10623284B2 (en) | 2015-06-05 | 2020-04-14 | Cisco Technology, Inc. | Determining a reputation of a network entity |
US10623283B2 (en) | 2015-06-05 | 2020-04-14 | Cisco Technology, Inc. | Anomaly detection through header field entropy |
US10623282B2 (en) | 2015-06-05 | 2020-04-14 | Cisco Technology, Inc. | System and method of detecting hidden processes by analyzing packet flows |
US10659324B2 (en) | 2015-06-05 | 2020-05-19 | Cisco Technology, Inc. | Application monitoring prioritization |
US11894996B2 (en) | 2015-06-05 | 2024-02-06 | Cisco Technology, Inc. | Technologies for annotating process and user information for network flows |
US10686804B2 (en) | 2015-06-05 | 2020-06-16 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
US10693749B2 (en) | 2015-06-05 | 2020-06-23 | Cisco Technology, Inc. | Synthetic data for determining health of a network security system |
US10142353B2 (en) | 2015-06-05 | 2018-11-27 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
US11700190B2 (en) | 2015-06-05 | 2023-07-11 | Cisco Technology, Inc. | Technologies for annotating process and user information for network flows |
US10009240B2 (en) | 2015-06-05 | 2018-06-26 | Cisco Technology, Inc. | System and method of recommending policies that result in particular reputation scores for hosts |
US10728119B2 (en) | 2015-06-05 | 2020-07-28 | Cisco Technology, Inc. | Cluster discovery via multi-domain fusion for application dependency mapping |
US10735283B2 (en) | 2015-06-05 | 2020-08-04 | Cisco Technology, Inc. | Unique ID generation for sensors |
US10742529B2 (en) | 2015-06-05 | 2020-08-11 | Cisco Technology, Inc. | Hierarchichal sharding of flows from sensors to collectors |
US11695659B2 (en) | 2015-06-05 | 2023-07-04 | Cisco Technology, Inc. | Unique ID generation for sensors |
US9979615B2 (en) | 2015-06-05 | 2018-05-22 | Cisco Technology, Inc. | Techniques for determining network topologies |
US10797970B2 (en) | 2015-06-05 | 2020-10-06 | Cisco Technology, Inc. | Interactive hierarchical network chord diagram for application dependency mapping |
US11637762B2 (en) | 2015-06-05 | 2023-04-25 | Cisco Technology, Inc. | MDL-based clustering for dependency mapping |
US10797973B2 (en) | 2015-06-05 | 2020-10-06 | Cisco Technology, Inc. | Server-client determination |
US11601349B2 (en) | 2015-06-05 | 2023-03-07 | Cisco Technology, Inc. | System and method of detecting hidden processes by analyzing packet flows |
US10862776B2 (en) | 2015-06-05 | 2020-12-08 | Cisco Technology, Inc. | System and method of spoof detection |
US11528283B2 (en) | 2015-06-05 | 2022-12-13 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
US11522775B2 (en) | 2015-06-05 | 2022-12-06 | Cisco Technology, Inc. | Application monitoring prioritization |
US9967158B2 (en) | 2015-06-05 | 2018-05-08 | Cisco Technology, Inc. | Interactive hierarchical network chord diagram for application dependency mapping |
US11516098B2 (en) | 2015-06-05 | 2022-11-29 | Cisco Technology, Inc. | Round trip time (RTT) measurement based upon sequence number |
US11502922B2 (en) | 2015-06-05 | 2022-11-15 | Cisco Technology, Inc. | Technologies for managing compromised sensors in virtualized environments |
US10904116B2 (en) | 2015-06-05 | 2021-01-26 | Cisco Technology, Inc. | Policy utilization analysis |
US11121948B2 (en) | 2015-06-05 | 2021-09-14 | Cisco Technology, Inc. | Auto update of sensor configuration |
US20160359915A1 (en) * | 2015-06-05 | 2016-12-08 | Cisco Technology, Inc. | Policy-driven compliance |
US11496377B2 (en) | 2015-06-05 | 2022-11-08 | Cisco Technology, Inc. | Anomaly detection through header field entropy |
US10917319B2 (en) | 2015-06-05 | 2021-02-09 | Cisco Technology, Inc. | MDL-based clustering for dependency mapping |
US11102093B2 (en) | 2015-06-05 | 2021-08-24 | Cisco Technology, Inc. | System and method of assigning reputation scores to hosts |
US11153184B2 (en) | 2015-06-05 | 2021-10-19 | Cisco Technology, Inc. | Technologies for annotating process and user information for network flows |
US11252058B2 (en) | 2015-06-05 | 2022-02-15 | Cisco Technology, Inc. | System and method for user optimized application dependency mapping |
US11477097B2 (en) | 2015-06-05 | 2022-10-18 | Cisco Technology, Inc. | Hierarchichal sharding of flows from sensors to collectors |
US10979322B2 (en) | 2015-06-05 | 2021-04-13 | Cisco Technology, Inc. | Techniques for determining network anomalies in data center networks |
US11252060B2 (en) | 2015-06-05 | 2022-02-15 | Cisco Technology, Inc. | Data center traffic analytics synchronization |
US11431592B2 (en) | 2015-06-05 | 2022-08-30 | Cisco Technology, Inc. | System and method of detecting whether a source of a packet flow transmits packets which bypass an operating system stack |
US11405291B2 (en) | 2015-06-05 | 2022-08-02 | Cisco Technology, Inc. | Generate a communication graph using an application dependency mapping (ADM) pipeline |
US11128552B2 (en) | 2015-06-05 | 2021-09-21 | Cisco Technology, Inc. | Round trip time (RTT) measurement based upon sequence number |
US11368378B2 (en) | 2015-06-05 | 2022-06-21 | Cisco Technology, Inc. | Identifying bogon address spaces |
JP2017073765A (en) * | 2015-10-09 | 2017-04-13 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America | Security device, aggression detection method and program |
US20170180401A1 (en) * | 2015-12-18 | 2017-06-22 | F-Secure Corporation | Protection Against Malicious Attacks |
US10432646B2 (en) * | 2015-12-18 | 2019-10-01 | F-Secure Corporation | Protection against malicious attacks |
US10931629B2 (en) | 2016-05-27 | 2021-02-23 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
US11546288B2 (en) | 2016-05-27 | 2023-01-03 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
US10171357B2 (en) | 2016-05-27 | 2019-01-01 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
US10289438B2 (en) | 2016-06-16 | 2019-05-14 | Cisco Technology, Inc. | Techniques for coordination of application components deployed on distributed virtual machines |
US10708183B2 (en) | 2016-07-21 | 2020-07-07 | Cisco Technology, Inc. | System and method of providing segment routing as a service |
US11283712B2 (en) | 2016-07-21 | 2022-03-22 | Cisco Technology, Inc. | System and method of providing segment routing as a service |
US10972388B2 (en) | 2016-11-22 | 2021-04-06 | Cisco Technology, Inc. | Federated microburst detection |
US10708152B2 (en) | 2017-03-23 | 2020-07-07 | Cisco Technology, Inc. | Predicting application and network performance |
US11088929B2 (en) | 2017-03-23 | 2021-08-10 | Cisco Technology, Inc. | Predicting application and network performance |
US11252038B2 (en) | 2017-03-24 | 2022-02-15 | Cisco Technology, Inc. | Network agent for generating platform specific network policies |
US10523512B2 (en) | 2017-03-24 | 2019-12-31 | Cisco Technology, Inc. | Network agent for generating platform specific network policies |
US10250446B2 (en) | 2017-03-27 | 2019-04-02 | Cisco Technology, Inc. | Distributed policy store |
US10594560B2 (en) | 2017-03-27 | 2020-03-17 | Cisco Technology, Inc. | Intent driven network policy platform |
US11146454B2 (en) | 2017-03-27 | 2021-10-12 | Cisco Technology, Inc. | Intent driven network policy platform |
US10764141B2 (en) | 2017-03-27 | 2020-09-01 | Cisco Technology, Inc. | Network agent for reporting to a network policy system |
US11509535B2 (en) | 2017-03-27 | 2022-11-22 | Cisco Technology, Inc. | Network agent for reporting to a network policy system |
US10873794B2 (en) | 2017-03-28 | 2020-12-22 | Cisco Technology, Inc. | Flowlet resolution for application performance monitoring and management |
US11202132B2 (en) | 2017-03-28 | 2021-12-14 | Cisco Technology, Inc. | Application performance monitoring and management platform with anomalous flowlet resolution |
US11863921B2 (en) | 2017-03-28 | 2024-01-02 | Cisco Technology, Inc. | Application performance monitoring and management platform with anomalous flowlet resolution |
US11683618B2 (en) | 2017-03-28 | 2023-06-20 | Cisco Technology, Inc. | Application performance monitoring and management platform with anomalous flowlet resolution |
US11157579B2 (en) | 2017-05-03 | 2021-10-26 | Uber Technologies, Inc. | Optimizing listing efficiency and efficacy for a delivery coordination system |
US20180322203A1 (en) * | 2017-05-03 | 2018-11-08 | Uber Technologies, Inc. | Optimizing listing efficiency and efficacy for a delivery coordination system |
US10713318B2 (en) * | 2017-05-03 | 2020-07-14 | Uber Technologies, Inc. | Optimizing listing efficiency and efficacy for a delivery coordination system |
US10680887B2 (en) | 2017-07-21 | 2020-06-09 | Cisco Technology, Inc. | Remote device status audit and recovery |
US10997303B2 (en) | 2017-09-12 | 2021-05-04 | Sophos Limited | Managing untyped network traffic flows |
US11620396B2 (en) | 2017-09-12 | 2023-04-04 | Sophos Limited | Secure firewall configurations |
US10878110B2 (en) | 2017-09-12 | 2020-12-29 | Sophos Limited | Dashboard for managing enterprise network traffic |
US11093624B2 (en) | 2017-09-12 | 2021-08-17 | Sophos Limited | Providing process data to a data recorder |
US10885212B2 (en) | 2017-09-12 | 2021-01-05 | Sophos Limited | Secure management of process properties |
US11017102B2 (en) | 2017-09-12 | 2021-05-25 | Sophos Limited | Communicating application information to a firewall |
US11966482B2 (en) | 2017-09-12 | 2024-04-23 | Sophos Limited | Managing untyped network traffic flows |
US10885211B2 (en) | 2017-09-12 | 2021-01-05 | Sophos Limited | Securing interprocess communications |
US10885213B2 (en) | 2017-09-12 | 2021-01-05 | Sophos Limited | Secure firewall configurations |
US11044170B2 (en) | 2017-10-23 | 2021-06-22 | Cisco Technology, Inc. | Network migration assistant |
US10554501B2 (en) | 2017-10-23 | 2020-02-04 | Cisco Technology, Inc. | Network migration assistant |
US10523541B2 (en) | 2017-10-25 | 2019-12-31 | Cisco Technology, Inc. | Federated network and application data analytics platform |
US10904071B2 (en) | 2017-10-27 | 2021-01-26 | Cisco Technology, Inc. | System and method for network root cause analysis |
US10594542B2 (en) | 2017-10-27 | 2020-03-17 | Cisco Technology, Inc. | System and method for network root cause analysis |
US11233821B2 (en) | 2018-01-04 | 2022-01-25 | Cisco Technology, Inc. | Network intrusion counter-intelligence |
US11750653B2 (en) | 2018-01-04 | 2023-09-05 | Cisco Technology, Inc. | Network intrusion counter-intelligence |
US11765046B1 (en) | 2018-01-11 | 2023-09-19 | Cisco Technology, Inc. | Endpoint cluster assignment and query generation |
US10999149B2 (en) | 2018-01-25 | 2021-05-04 | Cisco Technology, Inc. | Automatic configuration discovery based on traffic flow data |
US10574575B2 (en) | 2018-01-25 | 2020-02-25 | Cisco Technology, Inc. | Network flow stitching using middle box flow stitching |
US11924240B2 (en) | 2018-01-25 | 2024-03-05 | Cisco Technology, Inc. | Mechanism for identifying differences between network snapshots |
US10917438B2 (en) | 2018-01-25 | 2021-02-09 | Cisco Technology, Inc. | Secure publishing for policy updates |
US10798015B2 (en) | 2018-01-25 | 2020-10-06 | Cisco Technology, Inc. | Discovery of middleboxes using traffic flow stitching |
US10826803B2 (en) | 2018-01-25 | 2020-11-03 | Cisco Technology, Inc. | Mechanism for facilitating efficient policy updates |
US10873593B2 (en) | 2018-01-25 | 2020-12-22 | Cisco Technology, Inc. | Mechanism for identifying differences between network snapshots |
US11128700B2 (en) | 2018-01-26 | 2021-09-21 | Cisco Technology, Inc. | Load balancing configuration based on traffic flow telemetry |
EP3923519A4 (en) * | 2019-02-08 | 2022-07-27 | Panasonic Intellectual Property Corporation of America | Abnormality determination method, abnormality determination device, and program |
US11843477B2 (en) * | 2019-02-08 | 2023-12-12 | Panasonic Intellectual Property Corporation Of America | Anomaly determination method, anomaly determination device, and recording medium |
US11516045B2 (en) | 2019-02-08 | 2022-11-29 | Panasonic Intellectual Property Corporation Of America | Anomaly determination method, anomaly determination device, and recording medium |
US20230048058A1 (en) * | 2019-02-08 | 2023-02-16 | Panasonic Intellectual Property Corporation Of America | Anomaly determination method, anomaly determination device, and recording medium |
Also Published As
Publication number | Publication date |
---|---|
EP1540502A4 (en) | 2009-11-25 |
AU2003265399A1 (en) | 2004-02-25 |
US6983323B2 (en) | 2006-01-03 |
EP1540502A1 (en) | 2005-06-15 |
CN100445980C (en) | 2008-12-24 |
WO2004015586A1 (en) | 2004-02-19 |
ATE500675T1 (en) | 2011-03-15 |
EP1540502B1 (en) | 2011-03-02 |
DE60336240D1 (en) | 2011-04-14 |
CN1816804A (en) | 2006-08-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6983323B2 (en) | Multi-level packet screening with dynamically selected filtering criteria | |
US7937761B1 (en) | Differential threat detection processing | |
US9392002B2 (en) | System and method of providing virus protection at a gateway | |
US7808897B1 (en) | Fast network security utilizing intrusion prevention systems | |
EP1558937B1 (en) | Active network defense system and method | |
Kruegel et al. | Stateful intrusion detection for high-speed network's | |
US9143525B2 (en) | Integrated network intrusion detection | |
US7467408B1 (en) | Method and apparatus for capturing and filtering datagrams for network security monitoring | |
EP2619958B1 (en) | Ip prioritization and scoring method and system for ddos detection and mitigation | |
US8607066B1 (en) | Content inspection using partial content signatures | |
US7103046B2 (en) | Method and apparatus for intelligent sorting and process determination of data packets destined to a central processing unit of a router or server on a data packet network | |
US8416773B2 (en) | Packet monitoring | |
EP1122932B1 (en) | Protection of computer networks against malicious content | |
US20080289040A1 (en) | Source/destination operating system type-based IDS virtualization | |
US20080298392A1 (en) | Packet processing | |
Hartmeier et al. | Design and Performance of the OpenBSD Stateful Packet Filter (pf). | |
EP1301801A1 (en) | Method for preventing denial of service attacks | |
US9032524B2 (en) | Line-rate packet filtering technique for general purpose operating systems | |
US7099940B2 (en) | System, method and computer program product for processing network accounting information | |
US20140259140A1 (en) | Using learned flow reputation as a heuristic to control deep packet inspection under load | |
EP2112800B1 (en) | Method and system for enhanced recognition of attacks to computer systems | |
Tayyebi et al. | A comparative study of open source network based intrusion detection systems | |
Bukhatwa et al. | Effects of Ordered Access Lists in Firewalls. | |
Bul’ajoul et al. | ‘Using Cisco network components to improve NIDPS performance |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: TIPPINGPOINT TECHNOLOGIES, INC., TEXAS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CANTRELL, CRAIG;WILLEBEEK-LEMAIR, MARC;COX, DENNIS;AND OTHERS;REEL/FRAME:013198/0356;SIGNING DATES FROM 20020724 TO 20020729 |
|
AS | Assignment |
Owner name: COMERICA BANK-CALIFORNIA, CALIFORNIA Free format text: SECURITY INTEREST;ASSIGNOR:TIPPINGPOINT TECHNOLOGIES, INC.;REEL/FRAME:013908/0363 Effective date: 20020730 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: 3COM CORPORATION, MASSACHUSETTS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:TIPPINGPOINT TECHNOLOGIES, INC.;REEL/FRAME:018085/0786 Effective date: 20060810 |
|
AS | Assignment |
Owner name: TIPPINGPOINT TECHNOLOGIES, INC., TEXAS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:3COM CORPORATION;REEL/FRAME:021023/0837 Effective date: 20080529 |
|
FPAY | Fee payment |
Year of fee payment: 4 |
|
AS | Assignment |
Owner name: HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P., TEXAS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:TIPPINGPOINT TECHNOLOGIES, INC.;REEL/FRAME:024755/0973 Effective date: 20100720 |
|
FPAY | Fee payment |
Year of fee payment: 8 |
|
AS | Assignment |
Owner name: HEWLETT-PACKARD COMPANY, SUCCESSOR IN INTEREST TO Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:COMERICA BANK;REEL/FRAME:035844/0295 Effective date: 20140609 |
|
AS | Assignment |
Owner name: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP, TEXAS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.;REEL/FRAME:036987/0001 Effective date: 20151002 |
|
AS | Assignment |
Owner name: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP, TEXAS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.;REEL/FRAME:037079/0001 Effective date: 20151027 |
|
AS | Assignment |
Owner name: TREND MICRO INCORPORATED, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP;REEL/FRAME:039203/0047 Effective date: 20160308 |
|
AS | Assignment |
Owner name: TREND MICRO INCORPORATED, JAPAN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:TREND MICRO INCORPORATED;REEL/FRAME:039512/0945 Effective date: 20160414 |
|
FPAY | Fee payment |
Year of fee payment: 12 |